MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7db5e626c33513029a8c994e929219469a2d4f36bbd9557299d4b8bec1673fc1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7db5e626c33513029a8c994e929219469a2d4f36bbd9557299d4b8bec1673fc1
SHA3-384 hash: e4a7283957f7165434d6dae9be86904a4d865e3c2a5528faf6c5679bbf0c7fc9d9cdd8c93cdd72e2c9b3f756a1e2d6f2
SHA1 hash: 9cbbb70ae41adca7f8bf6a4cff0ea0e19f5a5288
MD5 hash: 238367f3cf7e2a9cba6c2cc17d83ca62
humanhash: violet-north-minnesota-beer
File name:Statement of Account.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:199'760 bytes
First seen:2022-10-24 18:18:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 59a4a44a250c4cf4f2d9de2b3fe5d95f (70 x GuLoader, 13 x AgentTesla, 7 x AZORult)
ssdeep 6144:BDSoIKDfn3zJmfT423qOoDUZnhRvdwmXPG:/Dfn3zob423qOJ/d/G
Threatray 32 similar samples on MalwareBazaar
TLSH T102141212A4D5D8A7F34706B119F3DA73F7B9F3043C305ACB4B6057963A21293CA9A19E
TrID 92.9% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133)
3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
1.1% (.EXE) Win64 Executable (generic) (10523/12/4)
0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter GovCERT_CH
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2022-02-16T08:51:16Z
Valid to:2025-02-15T08:51:16Z
Serial number: -5605e6ba0f799c86
Thumbprint Algorithm:SHA256
Thumbprint: 7659f911cd06ed5a91c87012eccd1da29e17deb72605f6567b7a072cdff809c6
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
228
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
guloader
Create hunting rule
ID:
1
File name:
33eb21c6a1661b29381d1a4a5270c3c9.eml
Verdict:
Malicious activity
Analysis date:
2022-10-24 13:21:54 UTC
Tags:
guloader
Link:
https://app.any.run/tasks/fa654d06-09d7-4eb7-a452-f4e099f3bdb4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/323591/
Detection(s):
SecuriteInfo.com.Adware.Agent.OKV.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Searching for the window
Delayed reading of the file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/7f1d7ac6-c4ab-4d57-bbca-ead1f4c021d9
Result
Threat name:
AgentTesla, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.adwa.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1096865
Signature
Creates multiple autostart registry keys
Hides that the sample has been downloaded from the Internet (zone.identifier)
Modifies the hosts file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected GuLoader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 729505 Sample: Statement of Account.exe Startdate: 24/10/2022 Architecture: WINDOWS Score: 100 45 api.telegram.org 2->45 59 Snort IDS alert for network traffic 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 Yara detected GuLoader 2->63 65 3 other signatures 2->65 8 Statement of Account.exe 2 34 2->8         started        12 yqWDN.exe 2 2->12         started        14 yqWDN.exe 1 2->14         started        signatures3 process4 file5 37 C:\Users\user\AppData\Local\...\System.dll, PE32 8->37 dropped 67 Writes to foreign memory regions 8->67 69 Tries to detect Any.run 8->69 16 CasPol.exe 18 15 8->16         started        21 CasPol.exe 8->21         started        23 svchost.exe 8->23         started        29 5 other processes 8->29 25 conhost.exe 12->25         started        27 conhost.exe 14->27         started        signatures6 process7 dnsIp8 39 api.telegram.org 149.154.167.220, 443, 49841 TELEGRAMRU United Kingdom 16->39 41 192.227.183.138, 49840, 80 AS-COLOCROSSINGUS United States 16->41 43 192.168.11.1 unknown unknown 16->43 33 C:\Windows\System32\drivers\etc\hosts, ASCII 16->33 dropped 35 C:\Users\user\AppData\Roaming\...\yqWDN.exe, PE32 16->35 dropped 47 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->47 49 Tries to steal Mail credentials (via file / registry access) 16->49 51 Creates multiple autostart registry keys 16->51 57 5 other signatures 16->57 31 conhost.exe 16->31         started        53 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 21->53 55 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 21->55 file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7db5e626c33513029a8c994e929219469a2d4f36bbd9557299d4b8bec1673fc1/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-10-24 12:06:16 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pw26mjwdgujqfgumtfhjfeqzi2nc2tzwxpmvk4uz2s4l5qlhh7aq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
166908f0b9866d84c4a0828b4d664aa4b1049d403ebe90798caa4f4d93b26e00
GuLoader
32734437ca16d5bf5babbbe8dfe93dfdc953418dcd53cde0b7fe55b6c69fc3b4
GuLoader
37c86f121c6f2444ba270e021f0fe141de6dac7cba6267e9a873f72eabb6bbff
GuLoader
65e331380851f9aced88e0aa9e78e70d04131fa073c5278f6e7fbeb0dff82267
GuLoader
6d43c96f1425abf6538f9b526b768f2fa284dcd9fec93e5b5cf001a4f83fdb89
GuLoader
79f0258fb0f3f2379e0a0320a754686cbc9e4627240f03663276b6b724952fb9
GuLoader
913172750585a6984011e58a573a38cd7ed051e2145690cf7a4b53b1ca49725c
GuLoader
a1853750e48152050b5f04f08ba261a37c49fd039435ac4c2683328febd4fa92
GuLoader
ba99bed9890c619411129e8902aaaf4f65a68c77735a577f8a85428e4f4167e5
GuLoader
+ 22 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/221024-wx6gwsaad7/
Behaviour
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Loads dropped DLL
Unpacked files
SH256 hash:
484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2
MD5 hash:
960a5c48e25cf2bca332e74e11d825c9
SHA1 hash:
da35c6816ace5daf4c6c1d57b93b09a82ecdc876
Link:
https://www.unpac.me/results/668c25f1-3603-4bae-a31e-db7bc3bb5b25/
SH256 hash:
7db5e626c33513029a8c994e929219469a2d4f36bbd9557299d4b8bec1673fc1
MD5 hash:
238367f3cf7e2a9cba6c2cc17d83ca62
SHA1 hash:
9cbbb70ae41adca7f8bf6a4cff0ea0e19f5a5288
Link:
https://www.unpac.me/results/668c25f1-3603-4bae-a31e-db7bc3bb5b25/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/7db5e626c33513029a8c994e929219469a2d4f36bbd9557299d4b8bec1673fc1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 7db5e626c33513029a8c994e929219469a2d4f36bbd9557299d4b8bec1673fc1

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/323591/

Comments