MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b33dcd29a3bddb0574c50b604db51b808c0909df8beeb575fea8979ce55dd49. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	6b33dcd29a3bddb0574c50b604db51b808c0909df8beeb575fea8979ce55dd49
SHA3-384 hash:	9f8f1390140abaa53dd66e2192986c3cad629787e3200fdc39e858cd7ad417b28f6a71c99a352bd9ab5575f2fddd21c8
SHA1 hash:	1cf7ba24d1157a1b4add218db224d34c2bb416dc
MD5 hash:	57f282205cc0abd33d339ccedf0df2f1
humanhash:	nevada-snake-enemy-florida
File name:	20230328.bat
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	647'517 bytes
First seen:	2023-03-30 07:26:02 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	6e7f9a29f2c85394521a08b9f31f6275 (278 x GuLoader, 44 x RemcosRAT, 40 x VIPKeylogger)
ssdeep	6144:sMm4CCHM4NL26fgvHOg3UXy5bpBUWwVl57DDCu96qvjIegLl3:sMwg/NL26fgvHOFyrKxl7vCM6qbIeal3
TLSH	T119D408F9B224C1AAE2BB46F17D2B686421F7ACAD98D0421D26BDB71C05B271111DFD0F
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	c8bae6ce9c98968e (4 x SnakeKeylogger, 1 x GuLoader)
Reporter	lowmal3
Tags:	exe GuLoader

Intelligence

File Origin

# of uploads :

# of downloads :

226

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

20230328.bat

Verdict:

Malicious activity

Analysis date:

2023-03-30 07:33:05 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/43adb17f-be51-4076-9956-6a54b15ba0f2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/378706/

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% subdirectories

Delayed reading of the file

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/75711/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

comodo guloader overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/6425398dca865a884348d950/reports/75f89724-20cc-411e-98b3-047c6c9b91d0/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/6b33dcd29a3bddb0574c50b604db51b808c0909df8beeb575fea8979ce55dd49

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/ec6bc86f-d754-4eba-9617-50ab8a2f4e0b

Result

Threat name:

AgentTesla, GuLoader

Detection:

malicious

Classification:

troj.evad.spyw

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1205339

Signature

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect Any.run

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected GuLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6b33dcd29a3bddb0574c50b604db51b808c0909df8beeb575fea8979ce55dd49/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nmz5zuu2hpo3av2mkc3ajw2rxaembee57c7owv275kexttsv3veq._file

Result

Malware family:

guloader

Score:

10/10

Tags:

family:agenttesla family:guloader collection downloader keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230330-h9jl1ada3z/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Program crash

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Legitimate hosting services abused for malware hosting/C2

Checks QEMU agent file

Loads dropped DLL

AgentTesla

Guloader,Cloudeye

Unpacked files

SH256 hash:

7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5

MD5 hash:

564bb0373067e1785cba7e4c24aab4bf

SHA1 hash:

7c9416a01d821b10b2eef97b80899d24014d6fc1

Link:

https://www.unpac.me/results/1589a459-2238-49cd-98c5-6bc75715caca/

SH256 hash:

8c0da6a524382a2cf75bfb8af0687a5e29fa035d6af88b0719f0624fc7de06a9

MD5 hash:

cccb1bd55354703ea1c7019e07b8d7e4

SHA1 hash:

5ff6248090f0f3f6a1b466106c2a339e9fa20f24

Link:

https://www.unpac.me/results/1589a459-2238-49cd-98c5-6bc75715caca/

SH256 hash:

62b3db0446750ca9fd693733eec927acc1f50012a47785343286e63b650b7621

MD5 hash:

1871af84805057b5ebc05ee46b56625d

SHA1 hash:

50e1c315ad30f5f3f300c7cd9dd0d5d626fe0167

Link:

https://www.unpac.me/results/1589a459-2238-49cd-98c5-6bc75715caca/

SH256 hash:

6b33dcd29a3bddb0574c50b604db51b808c0909df8beeb575fea8979ce55dd49

MD5 hash:

57f282205cc0abd33d339ccedf0df2f1

SHA1 hash:

1cf7ba24d1157a1b4add218db224d34c2bb416dc

Link:

https://www.unpac.me/results/1589a459-2238-49cd-98c5-6bc75715caca/

Malware family:

GuLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6b33dcd29a3b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6b33dcd29a3bddb0574c50b604db51b808c0909df8beeb575fea8979ce55dd49

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

exe 6b33dcd29a3bddb0574c50b604db51b808c0909df8beeb575fea8979ce55dd49

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/378706/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample