MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7132f9426f3bbadaedd15c39968640ffc5ad207b3c8f450d642174e2942f09d7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7132f9426f3bbadaedd15c39968640ffc5ad207b3c8f450d642174e2942f09d7
SHA3-384 hash: b2e7cba669fefd4fa687ffc55f21a357ca8a51c572fb3de01cdb44ad93aa329ea54d41bf48705b8ca95aa715f5b44e95
SHA1 hash: 45c53cc691776530bf1c983be3188b6b63fde359
MD5 hash: ca66a833a47f3c8f28ec46d2e75527df
humanhash: social-winner-six-queen
File name:Facturas Pagadas al VencimientoPDF.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:312'488 bytes
First seen:2022-09-20 07:17:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e2a592076b17ef8bfb48b7e03965a3fc (385 x GuLoader, 58 x RemcosRAT, 40 x AgentTesla)
ssdeep 6144:Bhgqhw9oAFPZVheNA+ff0RxV4xnXAO0t02HkSq:0qknhe2e6nUXkW24
Threatray 1'243 similar samples on MalwareBazaar
TLSH T1B064289238CA756FDC2F5A74035FEAB22A795CE07382496E4F40720D4C3664A90EEDD7
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon c88604b919c6c6c0 (77 x GuLoader, 10 x Formbook, 8 x AgentTesla)
Reporter TeamDreier
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2022-05-29T02:00:13Z
Valid to:2025-05-28T02:00:13Z
Serial number: -0ffde1d10c854412
Thumbprint Algorithm:SHA256
Thumbprint: 2a3474eb3718150c9b676c6419f8742ce9ea5db74b009dc8a1752355d570586c
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
482
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Facturas Pagadas al VencimientoPDF.exe
Verdict:
Malicious activity
Analysis date:
2022-09-20 07:18:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a604f86f-5b50-48cc-9add-0b728669bc7d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/311548/
Detection(s):
SecuriteInfo.com.W32.Injector.ETRR-2693.24130.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/38209/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
75%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63296973a458e2a60a044e52/reports/c43a7107-3308-413a-80b5-3e363e4f7938/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ef2d6220-372c-451f-ad7b-c052d05a1b07
Result
Threat name:
AgentTesla, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1073454
Signature
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected GuLoader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 705996 Sample: Facturas Pagadas al Vencimi... Startdate: 20/09/2022 Architecture: WINDOWS Score: 100 24 googlehosted.l.googleusercontent.com 2->24 26 drive.google.com 2->26 28 2 other IPs or domains 2->28 36 Snort IDS alert for network traffic 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 Yara detected GuLoader 2->40 42 4 other signatures 2->42 8 Facturas Pagadas al VencimientoPDF.exe 1 26 2->8         started        signatures3 process4 file5 22 C:\Users\user\AppData\Local\...\System.dll, PE32 8->22 dropped 44 Writes to foreign memory regions 8->44 46 Tries to detect Any.run 8->46 12 CasPol.exe 15 11 8->12         started        16 CasPol.exe 8->16         started        18 CasPol.exe 8->18         started        signatures6 process7 dnsIp8 30 api.telegram.org 149.154.167.220, 443, 49779 TELEGRAMRU United Kingdom 12->30 32 drive.google.com 142.250.184.206, 443, 49777 GOOGLEUS United States 12->32 34 googlehosted.l.googleusercontent.com 142.250.186.33, 443, 49778 GOOGLEUS United States 12->34 48 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->48 50 Tries to steal Mail credentials (via file / registry access) 12->50 52 Tries to harvest and steal ftp login credentials 12->52 58 2 other signatures 12->58 20 conhost.exe 12->20         started        54 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->54 56 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 16->56 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7132f9426f3bbadaedd15c39968640ffc5ad207b3c8f450d642174e2942f09d7/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oezpsqtpho5nv3orlq4znbsa77c22id3hshukdleef2offbpbhlq._file
Verdict:
malicious
Similar samples:
275db34b1b3d894ed18fba50f477ca897bb3656682c7d0ef2941bd7c696e9f80
GuLoader
595f2ae803f01eba157b6deff4687380346e15609e43cc05b541b527bb7292eb
GuLoader
5fd8c33a5491be40bb0685430728361feb280f92f318f7f0a327bd63fca86f99
GuLoader
7d99aa5b81da99461aa61d5542cabce7bc5ffedc56cd1c1d9d6e58e242b38802
GuLoader
a18ab93f8c9268841b6cd59842a935651d9267fa2b8f72b2196cf68f7b57df9d
GuLoader
e5653285dfebc9a95f3a866693752e3f0e62ae312aaf054249067e22cf5836a5
GuLoader
f46d8267eb7fe636d2c5183100bc97e4a93b3a21c5d15661a3dc49ae891f621d
GuLoader
+ 1'233 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader discovery downloader
Link:
https://tria.ge/reports/220920-h4yhzaccb3/
Behaviour
Enumerates physical storage devices
Checks installed software on the system
Loads dropped DLL
Guloader,Cloudeye
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f52c599a-4463-4d0b-9f08-c343baab4541
Unpacked files
SH256 hash:
7132f9426f3bbadaedd15c39968640ffc5ad207b3c8f450d642174e2942f09d7
MD5 hash:
ca66a833a47f3c8f28ec46d2e75527df
SHA1 hash:
45c53cc691776530bf1c983be3188b6b63fde359
Link:
https://www.unpac.me/results/34ec62ac-ccb7-4a78-8d19-4a009925a8e1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7132f9426f3bbadaedd15c39968640ffc5ad207b3c8f450d642174e2942f09d7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 7132f9426f3bbadaedd15c39968640ffc5ad207b3c8f450d642174e2942f09d7

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/311548/

Comments