MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ddc7dadc052cd25fdb4171c0ba585cf63bcfc648654bb7da2e2b69ec920a781. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4ddc7dadc052cd25fdb4171c0ba585cf63bcfc648654bb7da2e2b69ec920a781
SHA3-384 hash: e6cff92f5f2d35191e98965e91166c2fa9917ea27dc878f5a26635e58ae093b7d55b319bf310e46517f7b88714423a9c
SHA1 hash: a8986af26081377c7c2798d8a42086c0fcdef917
MD5 hash: 234bd1f18b6515181f63f2daf09af231
humanhash: eight-oranges-georgia-oregon
File name:Statement of Account (September).exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:200'288 bytes
First seen:2022-10-27 12:22:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 59a4a44a250c4cf4f2d9de2b3fe5d95f (70 x GuLoader, 13 x AgentTesla, 7 x AZORult)
ssdeep 6144:KDSoIKpTeBCPh/jlZalYvgm4vI7nyW4xV:U0CPh/y6an7D
Threatray 20 similar samples on MalwareBazaar
TLSH T1781412666AF4D493F1931E741EF61776FAB1B3002A31828B2F041F957E30B43AA9509D
TrID 92.9% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133)
3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
1.1% (.EXE) Win64 Executable (generic) (10523/12/4)
0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter GovCERT_CH
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2022-10-26T07:41:44Z
Valid to:2025-10-25T07:41:44Z
Serial number: -1833bb2a93d7bfc2
Thumbprint Algorithm:SHA256
Thumbprint: 812a3f68a58973d5c0ffad0acceca259104f709085409ee75a8ea7476429424f
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
guloader
Create hunting rule
ID:
1
File name:
Statement of Account (September).exe
Verdict:
Malicious activity
Analysis date:
2022-10-27 12:24:32 UTC
Tags:
installer guloader
Link:
https://app.any.run/tasks/7d647a80-cde2-4af7-9007-9ca5f546b6a7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/324882/
Detection(s):
SecuriteInfo.com.Adware.Agent.OKV.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a file
Delayed reading of the file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/9b959b8b-e805-4f73-96e8-0383d74ad4a0
Result
Threat name:
AgentTesla, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.adwa.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1099289
Signature
Creates multiple autostart registry keys
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected GuLoader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 731938 Sample: Statement of Account (Septe... Startdate: 27/10/2022 Architecture: WINDOWS Score: 100 39 api.telegram.org 2->39 53 Snort IDS alert for network traffic 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 5 other signatures 2->59 8 Statement of Account (September).exe 2 33 2->8         started        12 NXLun.exe 2 2->12         started        14 NXLun.exe 1 2->14         started        signatures3 process4 file5 33 C:\Users\user\AppData\Local\...\System.dll, PE32 8->33 dropped 61 Writes to foreign memory regions 8->61 63 Tries to detect Any.run 8->63 16 CasPol.exe 18 15 8->16         started        21 CasPol.exe 8->21         started        23 conhost.exe 12->23         started        25 conhost.exe 14->25         started        signatures6 process7 dnsIp8 35 api.telegram.org 149.154.167.220, 443, 49830 TELEGRAMRU United Kingdom 16->35 37 192.227.183.138, 49828, 80 AS-COLOCROSSINGUS United States 16->37 29 C:\Windows\System32\drivers\etc\hosts, ASCII 16->29 dropped 31 C:\Users\user\AppData\Roaming\...31XLun.exe, PE32 16->31 dropped 41 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->41 43 Tries to steal Mail credentials (via file / registry access) 16->43 45 Creates multiple autostart registry keys 16->45 51 5 other signatures 16->51 27 conhost.exe 16->27         started        47 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 21->47 49 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 21->49 file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4ddc7dadc052cd25fdb4171c0ba585cf63bcfc648654bb7da2e2b69ec920a781/
Threat name:
Win32.Trojan.Minix
Create hunting rule
Status:
Malicious
First seen:
2022-10-26 09:34:27 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jxoh3loaklgsl7nuc4oaxjmfz5r3z7deqzklw7nc4k3j5sjau6aq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
166908f0b9866d84c4a0828b4d664aa4b1049d403ebe90798caa4f4d93b26e00
GuLoader
37c86f121c6f2444ba270e021f0fe141de6dac7cba6267e9a873f72eabb6bbff
GuLoader
43efe491955b4d4d340b18b7de78784276f048d8d5b99f9fff0284d563226286
GuLoader
65e331380851f9aced88e0aa9e78e70d04131fa073c5278f6e7fbeb0dff82267
GuLoader
6d43c96f1425abf6538f9b526b768f2fa284dcd9fec93e5b5cf001a4f83fdb89
GuLoader
79f0258fb0f3f2379e0a0320a754686cbc9e4627240f03663276b6b724952fb9
GuLoader
7db5e626c33513029a8c994e929219469a2d4f36bbd9557299d4b8bec1673fc1
GuLoader
913172750585a6984011e58a573a38cd7ed051e2145690cf7a4b53b1ca49725c
GuLoader
a1853750e48152050b5f04f08ba261a37c49fd039435ac4c2683328febd4fa92
GuLoader
ba99bed9890c619411129e8902aaaf4f65a68c77735a577f8a85428e4f4167e5
GuLoader
+ 10 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/221027-pkfx5scba3/
Behaviour
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Loads dropped DLL
Unpacked files
SH256 hash:
484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2
MD5 hash:
960a5c48e25cf2bca332e74e11d825c9
SHA1 hash:
da35c6816ace5daf4c6c1d57b93b09a82ecdc876
Link:
https://www.unpac.me/results/72799cd2-fb50-4592-986e-9c0cccbd6d0b/
SH256 hash:
4ddc7dadc052cd25fdb4171c0ba585cf63bcfc648654bb7da2e2b69ec920a781
MD5 hash:
234bd1f18b6515181f63f2daf09af231
SHA1 hash:
a8986af26081377c7c2798d8a42086c0fcdef917
Link:
https://www.unpac.me/results/72799cd2-fb50-4592-986e-9c0cccbd6d0b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/4ddc7dadc052cd25fdb4171c0ba585cf63bcfc648654bb7da2e2b69ec920a781

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 4ddc7dadc052cd25fdb4171c0ba585cf63bcfc648654bb7da2e2b69ec920a781

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/324882/

Comments