MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f0b00fd25e3f6ebd2785a20827cded5f543c2009cf3469982daa2efddf760be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4f0b00fd25e3f6ebd2785a20827cded5f543c2009cf3469982daa2efddf760be
SHA3-384 hash: 450819fb08cf5b7342d77f174ae55363820eb2c6d7338b78d1cd9c78ae34e2bf60448fd724bb51ba212288abc5a67471
SHA1 hash: 54fda379ce0ffdf3dac51b51d320f898c7d02399
MD5 hash: 6bf8602a568d0be97816ab878e1259a1
humanhash: illinois-charlie-shade-triple
File name:6bf8602a568d0be97816ab878e1259a1
Download: download sample
Signature GuLoader
Create hunting rule
File size:110'592 bytes
First seen:2021-11-11 10:09:28 UTC
Last seen:2021-11-11 11:25:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash db5d72a5afeb9ce66c81583f89fe1e70 (1 x GuLoader)
ssdeep 1536:y5kP9nhb4TtbVzRPK0QAQ3mHHuydj7YjawNhZ1J:z9nOTtbFZKB3zOj7uaahnJ
Threatray 7'118 similar samples on MalwareBazaar
TLSH T1EEB39E537A89C49DD9B5F770D8235694401ABCF0597B8B0E2FC53B0CBBB9B02E88175A
File icon (PE):PE icon
dhash icon 0000000000000303 (2 x GuLoader)
Reporter zbetcheckin
Tags:32 exe GuLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
078e2e372472d2e4afc30e4196fea6636ad77c618010e6575c5ac6169098f7bc.docx
Verdict:
Malicious activity
Analysis date:
2021-11-11 09:18:12 UTC
Tags:
generated-doc opendir exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/208766c3-0023-4bb8-bc1b-f40d41dba65a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
GuLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/204945/
Detection(s):
SecuriteInfo.com.__vbaHresultCheckObj.28811.17203.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit guloader
Link:
https://www.filescan.io/uploads/618cebfedec3347825a1ebaf/reports/76f47526-e347-4851-b164-ff08591a97d6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7a9d73ed-7a32-4fb6-ba6b-c809ccb47d9d
Result
Threat name:
GuLoader AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/887379
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
GuLoader behavior detected
Hides threads from debuggers
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4f0b00fd25e3f6ebd2785a20827cded5f543c2009cf3469982daa2efddf760be/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-11-11 10:10:07 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  2/5
Verdict:
unknown
Similar samples:
07a7e8b55aae7e593602a7dc0e67dbf0debb3ccd4c4d769d7fab0e34a675b4e7
GuLoader
0dc21b62ca8b3140169ed54ed05f7324709f92266a83a60556a65e9833ba353c
GuLoader
41ab72f9ce1e64f569029d8b3f8c2fdf680fb75113b8d7451bc8d988cd5f6bd2
GuLoader
49de4524bd749523e1a8239eb6edecc62605ef2ed40852306795b839dec39270
GuLoader
548aefb935e11a84133bd8b3d367d988b9ad2e3bde7f4c0fffcf6a94b529be72
GuLoader
7afa7c7724abb034d3155e1e1fc1fd3f9961e56fd6119428d975d8aaee3070f9
GuLoader
c6e5156c311412210237810450648947699d1c4862536a4e86b778e899627292
GuLoader
da71644ee66cad527be192aefdfb9e5c70f0977d111d95e3591c8221aca1ccfc
GuLoader
e13745c95f7bcf403f519efbdf2ab8988f5237c20f9054d994e1e3d8ecf12784
GuLoader
+ 7'108 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:formbook family:guloader campaign:wp1p collection downloader keylogger rat spyware stealer trojan
Link:
https://tria.ge/reports/211111-l7djragbgl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks QEMU agent file
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
AgentTesla Payload
Formbook Payload
AgentTesla
Formbook
Guloader,Cloudeye
Malware Config
C2 Extraction:
http://www.metafirsat.com/wp1p/
Unpacked files
SH256 hash:
4f0b00fd25e3f6ebd2785a20827cded5f543c2009cf3469982daa2efddf760be
MD5 hash:
6bf8602a568d0be97816ab878e1259a1
SHA1 hash:
54fda379ce0ffdf3dac51b51d320f898c7d02399
Link:
https://www.unpac.me/results/f2ab3026-191a-45ef-951b-acd739b068ce/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/4f0b00fd25e3f6ebd2785a20827cded5f543c2009cf3469982daa2efddf760be

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe 4f0b00fd25e3f6ebd2785a20827cded5f543c2009cf3469982daa2efddf760be

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/204945/
  
URLhaus
https://urlhaus.abuse.ch/url/1775994/

Comments


Avatar
zbet commented on 2021-11-11 10:09:29 UTC

url : hxxp://192.3.122.180/3222/vbc.exe