MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7768da29cc4ef93cb4790f664e139d1d8c2972e22fe8840b6b86c50e15dba347. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7768da29cc4ef93cb4790f664e139d1d8c2972e22fe8840b6b86c50e15dba347
SHA3-384 hash: 4848e6345709a8143df49ffc2c4a4f70d404363f3b651c8d7958e63b67ed1b030f23cd5104caa5e9539daf16a18f4e63
SHA1 hash: 1d3dd4ed88af22c3de29c918b37db6f0b73c94c4
MD5 hash: 2f2102ec5776497950e89e419515efee
humanhash: papa-lima-louisiana-aspen
File name:Purchase Order PO20211027STK.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:131'031 bytes
First seen:2021-12-01 08:56:09 UTC
Last seen:2021-12-01 14:05:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (719 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 3072:gbG7N2kDTHUpou4ubV4QviYqsYLQyI9xxsFIRO7c3fkA:gbE/HUjV4QviYJMQXyFIR2HA
Threatray 7'816 similar samples on MalwareBazaar
TLSH T198D3E010B7A0D927E471467649336FBB6BFBA92244999EC707603E0D3C23780C92E75D
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter GovCERT_CH
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
3
# of downloads :
342
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Purchase Order PO20211027STK.exe
Verdict:
Suspicious activity
Analysis date:
2021-12-01 09:00:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f919b501-9504-45a0-b275-dd88a3241910

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
GuLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/210215/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.10148.11350.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Creating a window
DNS request
Result
Malware family:
n/a
Score:
  0/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/412/overview
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
75%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61a738dfb3ca88e2e7747351/reports/2d670408-654e-4daa-a551-8d7555811b6b/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/87b8f6a6-e22d-4bca-8829-a60a8df00f82
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/899254
Signature
C2 URLs / IPs found in malware configuration
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
GuLoader behavior detected
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 531732 Sample: Purchase Order PO20211027STK.exe Startdate: 01/12/2021 Architecture: WINDOWS Score: 100 22 onedrive.live.com 2->22 24 ervtqq.bl.files.1drv.com 2->24 26 bl-files.fe.1drv.com 2->26 28 Found malware configuration 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 GuLoader behavior detected 2->32 34 6 other signatures 2->34 9 Purchase Order PO20211027STK.exe 9 2->9         started        signatures3 process4 file5 20 C:\Users\user\AppData\Local\...\SPORENE.exe, PE32 9->20 dropped 12 SPORENE.exe 9->12         started        process6 signatures7 36 Writes to foreign memory regions 12->36 38 Tries to detect Any.run 12->38 40 Hides threads from debuggers 12->40 15 CasPol.exe 1 12->15         started        process8 signatures9 42 Tries to detect Any.run 15->42 44 Hides threads from debuggers 15->44 18 conhost.exe 15->18         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7768da29cc4ef93cb4790f664e139d1d8c2972e22fe8840b6b86c50e15dba347/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-12-01 06:48:38 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o5unukomj34tzndzb5te4e45dwgcs4xcf7uiic3lq3cq4fo3undq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
1ed21fc2049e9b5697a5d8ec374c41bcbf83c6210fab4d58b6bdf1282f44c739
GuLoader
58de41e1c48a304c1f7f289fe5c8976d82b8968aae89497adf7c60cda25deaaf
GuLoader
5e1a4b9ced78b15872e2723b231e3934c4874c6ea28ebf6c983a61f5040b5f96
GuLoader
7afa7c7724abb034d3155e1e1fc1fd3f9961e56fd6119428d975d8aaee3070f9
GuLoader
84bbdc0b303d03c1ef4ee6d48dedd94181d8fc5650a20b557a555b0917aaf879
GuLoader
8f71fca5621ccb7ba3558cfebc17014d27923d1c73ad97ececb577fd5b937047
GuLoader
c565ce12f63b1cb897156e0234907a49517439247747cc7df5b69952c1e7ce43
GuLoader
dafe42f172204ac9777c502bf75a2aa9d621c5bba23080815439446f10b74cab
GuLoader
+ 7'806 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:guloader downloader keylogger spyware stealer trojan
Link:
https://tria.ge/reports/211201-kwk9saeba9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks QEMU agent file
Loads dropped DLL
Executes dropped EXE
AgentTesla Payload
AgentTesla
Guloader,Cloudeye
Unpacked files
SH256 hash:
5a9bb5302609333a4473d889bbe7500baac06d881f123efa233e5c9daa122e69
MD5 hash:
03d56ce3fc2ebbb1b69fad8f781a7a84
SHA1 hash:
e674966f4b816d58e30e51fe8792759a6157033b
Link:
https://www.unpac.me/results/c4259a1c-af2a-47f5-a9e9-d373ddf4217d/
SH256 hash:
7768da29cc4ef93cb4790f664e139d1d8c2972e22fe8840b6b86c50e15dba347
MD5 hash:
2f2102ec5776497950e89e419515efee
SHA1 hash:
1d3dd4ed88af22c3de29c918b37db6f0b73c94c4
Link:
https://www.unpac.me/results/c4259a1c-af2a-47f5-a9e9-d373ddf4217d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7768da29cc4ef93cb4790f664e139d1d8c2972e22fe8840b6b86c50e15dba347

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 7768da29cc4ef93cb4790f664e139d1d8c2972e22fe8840b6b86c50e15dba347

(this sample)

  
Dropped by
guloader
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/210215/

Comments