MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 73c38b0fbae15628d39515ffbbe8d71aa8b5ff7c6891ec5f8c1f2fc6a1f0210c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 73c38b0fbae15628d39515ffbbe8d71aa8b5ff7c6891ec5f8c1f2fc6a1f0210c
SHA3-384 hash: ddd2e4b01f3b704a48fa47461bfa0d4dc32c6b92a1f1ae49cbabc2a772e0d9130ed7fb32080e155e359ca2809badadf4
SHA1 hash: 204df6cd1e8183eb59c6df215c58b420eb7c332f
MD5 hash: 9996bf258e329480172796e49489d03e
humanhash: bakerloo-delta-steak-apart
File name:RFQ 002902999.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:556'240 bytes
First seen:2023-12-22 09:11:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e2a592076b17ef8bfb48b7e03965a3fc (384 x GuLoader, 58 x RemcosRAT, 40 x AgentTesla)
ssdeep 12288:1qIl7vEpuZnwI/fvYDNLn7J6cxHY/KqlgsUAjwlJgFp:FvEpAwaHYDN7kcVY/KqljUhQFp
TLSH T18BC42330A1A995D3DED1CF309C33A7AB9CA25C117841A24F52F43B2F3E75A60A65E707
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 424ae4a2d2acbe15 (2 x GuLoader)
Reporter lowmal3
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:Sprintets
Issuer:Sprintets
Algorithm:sha256WithRSAEncryption
Valid from:2023-06-25T08:19:25Z
Valid to:2026-06-24T08:19:25Z
Serial number: 2094e23e892e942a0e418012a85be6d72987d9ec
Thumbprint Algorithm:SHA256
Thumbprint: 5419b5c97669772aa32df3fe614211fa4fa753191ce19f2586c0c9860c3cd598
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
329
Origin country :
DE DE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/469028/
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/658552aaf4b6e5e1635483b5/reports/dd21f71c-d582-47cc-a7a0-ea8651241789/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/73c38b0fbae15628d39515ffbbe8d71aa8b5ff7c6891ec5f8c1f2fc6a1f0210c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0bfb6297-38f9-4841-aa20-1f0129e8abfa
Result
Threat name:
AgentTesla, GuLoader
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1366136
Signature
Antivirus detection for URL or domain
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: MSBuild connects to smtp port
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1366136 Sample: RFQ_002902999.exe Startdate: 22/12/2023 Architecture: WINDOWS Score: 100 31 mail.qualityaf.com 2->31 33 api4.ipify.org 2->33 35 api.ipify.org 2->35 47 Snort IDS alert for network traffic 2->47 49 Multi AV Scanner detection for domain / URL 2->49 51 Found malware configuration 2->51 53 8 other signatures 2->53 9 RFQ_002902999.exe 34 2->9         started        signatures3 process4 file5 25 C:\Users\user\AppData\Local\...\Rosario.New, ASCII 9->25 dropped 27 C:\Users\user\AppData\...\Dullardness.reg, data 9->27 dropped 29 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 9->29 dropped 63 Suspicious powershell command line found 9->63 13 powershell.exe 12 9->13         started        signatures6 process7 signatures8 65 Suspicious powershell command line found 13->65 67 Very long command line found 13->67 69 Found suspicious powershell code related to unpacking or dynamic code loading 13->69 16 powershell.exe 15 13->16         started        19 conhost.exe 13->19         started        process9 signatures10 43 Writes to foreign memory regions 16->43 45 Maps a DLL or memory area into another process 16->45 21 MSBuild.exe 15 8 16->21         started        process11 dnsIp12 37 212.162.149.96, 49710, 80 UNREAL-SERVERSUS Netherlands 21->37 39 mail.qualityaf.com 192.185.148.49, 49712, 49713, 49715 UNIFIEDLAYER-AS-1US United States 21->39 41 api4.ipify.org 104.237.62.212, 443, 49711 WEBNXUS United States 21->41 55 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->55 57 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 21->57 59 Tries to steal Mail credentials (via file / registry access) 21->59 61 2 other signatures 21->61 signatures13
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/73c38b0fbae15628d39515ffbbe8d71aa8b5ff7c6891ec5f8c1f2fc6a1f0210c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/73c38b0fbae15628d39515ffbbe8d71aa8b5ff7c6891ec5f8c1f2fc6a1f0210c/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-12-22 06:51:32 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
10 of 37 (27.03%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=opbywd524flcru4vcx73x2gxdkull734nci6yx4md4x4nipqeega._file
Verdict:
unknown
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:guloader downloader keylogger spyware stealer trojan
Link:
https://tria.ge/reports/231222-k5la5sgda3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Looks up external IP address via web service
Loads dropped DLL
AgentTesla
Guloader,Cloudeye
Unpacked files
SH256 hash:
7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7
MD5 hash:
c5b9fe538654a5a259cf64c2455c5426
SHA1 hash:
db45505fa041af025de53a0580758f3694b9444a
Link:
https://www.unpac.me/results/9c57a705-0c66-44d7-9f83-1b26ffbc372c/
SH256 hash:
8c6a95a1bf06c22224ab43bc1a1948f2cb0fd8d7089f2b828033c0fde161d2c2
MD5 hash:
d5bf01b2a316120d3d906e48e850520e
SHA1 hash:
a0e2f1caca1d35c227d231e6063d71ffe1d06322
Link:
https://www.unpac.me/results/9c57a705-0c66-44d7-9f83-1b26ffbc372c/
SH256 hash:
73c38b0fbae15628d39515ffbbe8d71aa8b5ff7c6891ec5f8c1f2fc6a1f0210c
MD5 hash:
9996bf258e329480172796e49489d03e
SHA1 hash:
204df6cd1e8183eb59c6df215c58b420eb7c332f
Link:
https://www.unpac.me/results/9c57a705-0c66-44d7-9f83-1b26ffbc372c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/73c38b0fbae1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/73c38b0fbae15628d39515ffbbe8d71aa8b5ff7c6891ec5f8c1f2fc6a1f0210c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 73c38b0fbae15628d39515ffbbe8d71aa8b5ff7c6891ec5f8c1f2fc6a1f0210c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/469028/

Comments