MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 61becb2257f95087577ede433ea399f8dceb89ee6733e90c9919523befe3376e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 61becb2257f95087577ede433ea399f8dceb89ee6733e90c9919523befe3376e
SHA3-384 hash: 534bc692b41def687e07b80729608ae24ed8dd3dd1bbddbded7ce5c3d54567a1357ad19c0524b4cc0537ba1e2b166099
SHA1 hash: bb9e34d20523d65aa3dff1817c762c79430e0cd7
MD5 hash: fd8a52c8ef3ffefff9dd3a6547a199c4
humanhash: freddie-fix-triple-romeo
File name:SecuriteInfo.com.Variant.Tedy.164775.28245.3225
Download: download sample
Signature GuLoader
Create hunting rule
File size:1'585'460 bytes
First seen:2022-07-12 17:41:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f10e4da994053bf80c20cee985b32e29 (65 x GuLoader, 9 x RemcosRAT, 6 x QuasarRAT)
ssdeep 24576:1vayPpy9w+w948VUnPoKAk7GjyOKyXGHIfsej5z7rDrJPxFB5i7Yfl2:gSyNw944UnPo9Fj3zHRNXfE
Threatray 2'935 similar samples on MalwareBazaar
TLSH T1BB7512553B89C788D1640C765876C63462BEEC262B09DD03B2D0BF2F7832DD7BA96613
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b271f0f0b2b2d0ec (1 x GuLoader)
Reporter SecuriteInfoCom
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
342
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Variant.Tedy.164775.28245.3225
Verdict:
Malicious activity
Analysis date:
2022-07-12 17:47:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/12533ad9-dab9-44f3-9ea8-fb936bb06115

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/286648/
Detection(s):
SecuriteInfo.com.Variant.Tedy.164775.28245.3225.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
80%
Tags:
buer guloader overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62cdb2a722051a09ca7454a7/reports/928e54a9-77bd-4d28-82d3-d2469069ea0e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b7f18a6e-4f95-4fc8-8182-654a784146e2
Result
Threat name:
AgentTesla, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1029632
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Drops PE files with benign system names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 662126 Sample: SecuriteInfo.com.Variant.Te... Startdate: 12/07/2022 Architecture: WINDOWS Score: 100 41 scott-int.net 2->41 47 Snort IDS alert for network traffic 2->47 49 Antivirus detection for URL or domain 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 4 other signatures 2->53 8 SecuriteInfo.com.Variant.Tedy.164775.28245.exe 2 78 2->8         started        12 svchost.exe 2 2->12         started        14 svchost.exe 1 2->14         started        16 4 other processes 2->16 signatures3 process4 file5 33 C:\Users\user\Music\...\twnlib4.dll, PE32 8->33 dropped 35 C:\Users\user\Music\...\lang-1050.dll, PE32 8->35 dropped 37 C:\Users\user\Music\Klejnen201\...\HEX32.DLL, PE32 8->37 dropped 39 2 other files (none is malicious) 8->39 dropped 69 Writes to foreign memory regions 8->69 71 Tries to detect Any.run 8->71 18 CasPol.exe 2 13 8->18         started        23 CasPol.exe 8->23         started        25 conhost.exe 12->25         started        27 conhost.exe 14->27         started        signatures6 process7 dnsIp8 43 37.0.11.148, 49754, 80 WKD-ASIE Netherlands 18->43 45 scott-int.net 109.203.124.234, 49757, 587 NODE4-ASGB United Kingdom 18->45 31 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32 18->31 dropped 55 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->55 57 Tries to steal Mail credentials (via file / registry access) 18->57 59 Tries to harvest and steal ftp login credentials 18->59 67 3 other signatures 18->67 29 conhost.exe 18->29         started        61 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 23->61 63 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 23->63 65 Drops PE files with benign system names 23->65 file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/61becb2257f95087577ede433ea399f8dceb89ee6733e90c9919523befe3376e/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2022-07-12 17:42:12 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mg7mwisx7fiiov363zbt5i4z7dooxcpom4z6sdezdfjdx37dg5xa._file
Verdict:
malicious
Similar samples:
121dae49dacf1290b5ef4de577a01161b523d9edf8564fa765e7c00ac6c3b862
GuLoader
2fe1aace85b4bf69778fce02eaba9c3d1a139fd40770d6296d3fd9970efacb18
GuLoader
3faa50f804161625bca7b0f900367c6f6f127a40a0914cdf2d47a463d69795b6
GuLoader
4539d9c199b2fb7c37b08ab4ef32c6edd3e3e26f53f2289fa6ef3eb970cf8970
GuLoader
46328084c6b1d250b46ce080d6426e86753df25bcbd6332b253eb578fa789a5e
GuLoader
9eb7c4ee977f3961ee314e89468f793611fa8c5c95c1f73fdff318b674d6919f
GuLoader
b920c8e03050d0edb34c60f894105d65f847a66bb4f61259b70eca039adf1e3b
GuLoader
dbab95bfe56a7e0a0425eb323f49f545f236168494f79e440279470d0af5652f
GuLoader
dd88182da9939749fdd467feebff34fb9e039a30a8a82756f0337a205620ef07
GuLoader
e9ecd6320125813e0eccee9cb2577c8f55f4d0a29d4d65c26cfc3a3a99198b6b
GuLoader
+ 2'925 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader discovery downloader
Link:
https://tria.ge/reports/220712-v9f74abebj/
Behaviour
Enumerates physical storage devices
Drops file in Program Files directory
Checks installed software on the system
Loads dropped DLL
Guloader,Cloudeye
Unpacked files
SH256 hash:
a65b52120abb5af78c32a060e2f1d7c5591cb55a7501b3453881b1ea6df4e5e7
MD5 hash:
4c6db3229d805241ab31c1da7afc3a22
SHA1 hash:
ab97bc6933e81f25083161bf8b12324918ca78cf
Link:
https://www.unpac.me/results/1acfe307-614f-4b2f-8adf-5242e2a97ea6/
SH256 hash:
c7a20bcaa0197aedddc8e4797bbb33fdf70d980f5e83c203d148121c2106d917
MD5 hash:
792b6f86e296d3904285b2bf67ccd7e0
SHA1 hash:
966b16f84697552747e0ddd19a4ba8ab5083af31
Link:
https://www.unpac.me/results/1acfe307-614f-4b2f-8adf-5242e2a97ea6/
SH256 hash:
da49d6bee8888263abfbd410699cb675bd6d9c29e4a305d3117d54e7ae321462
MD5 hash:
909c45dd8bf19cea3792935a768cd16e
SHA1 hash:
456bdc3dcff07a379d672c7ec5ab6a5b7fbc481e
Link:
https://www.unpac.me/results/1acfe307-614f-4b2f-8adf-5242e2a97ea6/
SH256 hash:
61becb2257f95087577ede433ea399f8dceb89ee6733e90c9919523befe3376e
MD5 hash:
fd8a52c8ef3ffefff9dd3a6547a199c4
SHA1 hash:
bb9e34d20523d65aa3dff1817c762c79430e0cd7
Link:
https://www.unpac.me/results/1acfe307-614f-4b2f-8adf-5242e2a97ea6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.43
Link:
https://yomi.yoroi.company/submissions/61becb2257f95087577ede433ea399f8dceb89ee6733e90c9919523befe3376e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/286648/

Comments