MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 678f5356383226188eefe55ad0cc0bb5706ef0f834ee608b74f9c7acd9b4c016. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 678f5356383226188eefe55ad0cc0bb5706ef0f834ee608b74f9c7acd9b4c016
SHA3-384 hash: 57c03a6ca5fdbc2c3b1dd60b54d722c00c80a279326f81554cd16b9bbe758c0c9aac108a1ffc99eff1f6bf74d1ea0d8a
SHA1 hash: 00d818bd774a88d6b00d7786c973eaeabbf4412f
MD5 hash: 9934632c78dcaaa295c29a444f516af3
humanhash: tango-london-coffee-high
File name:SOLICITUD DE OFERTA (2).exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:678'880 bytes
First seen:2023-03-15 13:45:30 UTC
Last seen:2023-03-15 15:38:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e160ef8e55bb9d162da4e266afd9eef3 (140 x GuLoader, 33 x RemcosRAT, 17 x AgentTesla)
ssdeep 12288:uRyaQ2nE0tLm1NKQC/5FIgf3WqgBrh+ftddOYLQnJfp2+:wEAmb6hFI43WqgBrhorOYql
Threatray 411 similar samples on MalwareBazaar
TLSH T133E4F14436A58816CBD467324FABD2314B60AD5D79358A4F67F8BF1B3FFE2830906264
TrID 92.7% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133)
3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
1.1% (.EXE) Win64 Executable (generic) (10523/12/4)
0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 30f0dcf0d00e0040 (3 x GuLoader)
Reporter malwarelabnet
Tags:AgentTesla exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2022-11-15T08:19:04Z
Valid to:2025-11-14T08:19:04Z
Serial number: 55f8ec5d331887a96090778c90ef5247c16e1773
Thumbprint Algorithm:SHA256
Thumbprint: 9bb02eae56516bda932c2f0a236abf684efcc7ac3c5b761e744a919191befda6
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
214
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SOLICITUD DE OFERTA (2).exe
Verdict:
Malicious activity
Analysis date:
2023-03-15 13:51:27 UTC
Tags:
installer
Link:
https://app.any.run/tasks/76a39ea7-416b-41ec-a38a-7f2e9fac03a3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/374540/
Detection(s):
SecuriteInfo.com.Trojan.NSIS.Agent.3911.28946.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file
Creating a file in the %temp% subdirectories
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6411cc1d935ba6703eab26f1/reports/f1dfbdea-712c-4e5c-a94f-84715e8a7ae0/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/678f5356383226188eefe55ad0cc0bb5706ef0f834ee608b74f9c7acd9b4c016
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/45a239d6-5011-4801-b427-67f6d7dd9641
Result
Threat name:
AgentTesla, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1194163
Signature
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 827064 Sample: SOLICITUD_DE_OFERTA_(2).exe Startdate: 15/03/2023 Architecture: WINDOWS Score: 100 28 googlehosted.l.googleusercontent.com 2->28 30 drive.google.com 2->30 32 doc-0g-84-docs.googleusercontent.com 2->32 38 Multi AV Scanner detection for submitted file 2->38 40 Yara detected GuLoader 2->40 42 Yara detected AgentTesla 2->42 44 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->44 8 SOLICITUD_DE_OFERTA_(2).exe 1 35 2->8         started        signatures3 process4 file5 20 C:\Users\user\AppData\Local\...\System.dll, PE32 8->20 dropped 22 C:\Users\user\AppData\...\vm3ddevapi64.dll, PE32+ 8->22 dropped 24 C:\Users\user\AppData\...\libgcc_s_seh-1.dll, PE32+ 8->24 dropped 26 C:\Users\user\AppData\...\IA2Marshal.dll, PE32+ 8->26 dropped 46 Writes to foreign memory regions 8->46 48 Tries to detect Any.run 8->48 12 CasPol.exe 11 8->12         started        16 CasPol.exe 8->16         started        signatures6 process7 dnsIp8 34 drive.google.com 142.250.181.238, 443, 49837 GOOGLEUS United States 12->34 36 googlehosted.l.googleusercontent.com 142.250.186.129, 443, 49838 GOOGLEUS United States 12->36 50 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->50 52 Tries to steal Mail credentials (via file / registry access) 12->52 54 Tries to harvest and steal browser information (history, passwords, etc) 12->54 56 Tries to detect Any.run 12->56 18 conhost.exe 12->18         started        58 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->58 60 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 16->60 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/678f5356383226188eefe55ad0cc0bb5706ef0f834ee608b74f9c7acd9b4c016/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2023-03-15 12:28:33 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
12 of 39 (30.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m6hvgvrygitbrdxp4vnnbtalwvyg54hygtxgbc3u7hd2zwnuyala._file
Verdict:
malicious
Similar samples:
01ff3a6ce715226b103f3bf80bdb44737fc8bccd38119a7372d8cdcfd3b034c7
GuLoader
0dd1d1a74f49a15f9b7dcfc7890060807198b74b835cb17f60886a0f2c9c1376
GuLoader
28ca1fe12d85075d947b1bc3292c14cba784ed1e22287e56819d9a1d86b2f7e4
GuLoader
3e924b372c019c41e9995a276ce5c1b1487d14ceb9fbc8d606a09a83df5989b8
GuLoader
82a31318a931319c6478e3d03d14e95e73e5e989fd4f7636114b44cd30d1dfca
GuLoader
bf71631457bec8633d10c816bfa914ef51bee4acda9a37c2613697976a21decb
GuLoader
c3a3c6015ffc1bc98b5a21f89e78049900e5796e67e098bead011a20a99e7b0d
GuLoader
c4eefee00be644fdee054af38c62e0a436072bc1587486d61c0c63b0728853b2
GuLoader
f4716cf29a2fa3ff5650ff6a4d35a26a5a534658fe7518fdf2c08554158db841
GuLoader
ff3949d2a8e0d6b08d2b8b643cdfc6a26f44352da217b4a537e9c16d96ed7198
GuLoader
+ 401 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230315-q2zbgsfe3v/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Loads dropped DLL
AgentTesla
Unpacked files
SH256 hash:
484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2
MD5 hash:
960a5c48e25cf2bca332e74e11d825c9
SHA1 hash:
da35c6816ace5daf4c6c1d57b93b09a82ecdc876
Link:
https://www.unpac.me/results/4784f263-63df-433a-857c-a46f423ddc72/
SH256 hash:
678f5356383226188eefe55ad0cc0bb5706ef0f834ee608b74f9c7acd9b4c016
MD5 hash:
9934632c78dcaaa295c29a444f516af3
SHA1 hash:
00d818bd774a88d6b00d7786c973eaeabbf4412f
Link:
https://www.unpac.me/results/4784f263-63df-433a-857c-a46f423ddc72/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/678f53563832/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/678f5356383226188eefe55ad0cc0bb5706ef0f834ee608b74f9c7acd9b4c016

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/374540/

Comments