MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e7e4ddcd61df737e689389da1b59df402521f3310ad402c0696b97cf6ce3a20. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7e7e4ddcd61df737e689389da1b59df402521f3310ad402c0696b97cf6ce3a20
SHA3-384 hash: 8c0d2813057fc8a2bdb013a74d79d5d86fcbd481637f6862661aab2d70da9ab52978f2670707a834832d98d39e859018
SHA1 hash: 1892479a8d6b58642f57514b6bbd29ab4f7e5e62
MD5 hash: ac4b11253fd63a6f272bf10dabdbfb01
humanhash: nevada-quiet-pasta-lemon
File name:SecuriteInfo.com.W32.Injector.FIHC-3037.22773
Download: download sample
Signature GuLoader
Create hunting rule
File size:108'320 bytes
First seen:2022-09-20 08:59:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e160ef8e55bb9d162da4e266afd9eef3 (140 x GuLoader, 33 x RemcosRAT, 17 x AgentTesla)
ssdeep 3072:Us+LplNxNXz3lxRXJWfH1lzsf+BaMPEGNXA8rD:UsKxNX1AP14xA7NXjv
Threatray 14'458 similar samples on MalwareBazaar
TLSH T157B3F15333E6543BE5A37A3019F6AF3BC735DB4108315A931B418E9E0D722C36E6B18A
TrID 92.9% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133)
3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
1.1% (.EXE) Win64 Executable (generic) (10523/12/4)
0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter SecuriteInfoCom
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2022-06-04T07:50:04Z
Valid to:2025-06-03T07:50:04Z
Serial number: -24cbd5e0484b08d3
Thumbprint Algorithm:SHA256
Thumbprint: 34eec36f888f417c4cf45b5c2875e8f9a3e9896456ffce00de8ea43ba0b53bcb
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
564
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.W32.Injector.FIHC-3037.22773
Verdict:
Malicious activity
Analysis date:
2022-09-20 09:00:38 UTC
Tags:
installer
Link:
https://app.any.run/tasks/7296e83d-f91e-4218-9b55-4e36c46d550f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/311599/
Detection(s):
SecuriteInfo.com.W32.Injector.FIHC-3037.22773.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% subdirectories
Creating a file in the %AppData% directory
Creating a file in the %AppData% subdirectories
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
guloader overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6329819ab333b2ec6b39359a/reports/2fdb3f17-d114-4872-93b1-5cd86eb12eeb/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/de2dac03-63a7-495c-befc-8d076dc14514
Result
Threat name:
AgentTesla, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1073530
Signature
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7e7e4ddcd61df737e689389da1b59df402521f3310ad402c0696b97cf6ce3a20/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2022-09-20 09:00:10 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pz7e3xgwdx3tpzujhco2dnm56qbfehztccwualags24xz5wohiqa._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
5b44d377e2ac43e289acf6f2ce0c3062955c523886c79f4235317535a563ec9c
GuLoader
6619a23606037c409d8a806d59156f73cc1493462da007f59002da7c1a9892e6
GuLoader
6d4d55abaccc1b19903ceb6c96d760327bb9c87a744a8806bfb242d547c9e6e3
GuLoader
7dd92e873c628b396cdddf9fa1d616102db4381b29c6f3b3c6306d0899c5589f
GuLoader
98f7aca3b7f9ff379769ee93e49ff700c16942015535c2d4165a4dc2ed3bd818
GuLoader
c8b9df067d8ce54ce2c376ad20bd6130dc1f3d4feac573da798e68a202b2ef6f
GuLoader
df06ee14dcd8d18eae4a818033bd9c3a2971adcf7c0fe9a2ee563a95e975286f
GuLoader
e024d90a271d4496b50aa2f15d174c5ac3dc3b635573466503d84d95de5b6f79
GuLoader
ef66ea0bcee19ccd3d2771a170ff218a3e43b27f1b18f24e08685cb4d3fe053a
GuLoader
+ 14'448 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:guloader collection discovery downloader keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220920-kybhcsgahn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks installed software on the system
Checks QEMU agent file
Loads dropped DLL
AgentTesla
Guloader,Cloudeye
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/892f5c0a-5c7a-4410-95a1-429eea248180
Unpacked files
SH256 hash:
8ee70f5c7fce03a00140d8c0e22e2d45d1d8b7b4461a8e7cb1739c642a11f22f
MD5 hash:
35db925b05118d53e1c3179e54e93cd0
SHA1 hash:
1ccae23c74368efaa18eaee1381cba6f2504d9e7
Link:
https://www.unpac.me/results/63fc44a9-8720-46d3-9352-392c5fd032c3/
SH256 hash:
7e7e4ddcd61df737e689389da1b59df402521f3310ad402c0696b97cf6ce3a20
MD5 hash:
ac4b11253fd63a6f272bf10dabdbfb01
SHA1 hash:
1892479a8d6b58642f57514b6bbd29ab4f7e5e62
Link:
https://www.unpac.me/results/63fc44a9-8720-46d3-9352-392c5fd032c3/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7e7e4ddcd61d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7e7e4ddcd61df737e689389da1b59df402521f3310ad402c0696b97cf6ce3a20

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/311599/

Comments