MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 811de8503ce4a7cc2bf23387c4841694be046c532ddee322ea8a75fbaa6d0f22. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	811de8503ce4a7cc2bf23387c4841694be046c532ddee322ea8a75fbaa6d0f22
SHA3-384 hash:	6bc0780ab6a5d45b77897fc86ddbc446498a46439cede3b2413e23c9d9ee7d3d2bf2c4dc41f0a3d607ce077e0f9ed9f8
SHA1 hash:	c7b669acb8734a305741bae29c9563546a4652af
MD5 hash:	9ffcec22d425a19128da17e5b17e9dca
humanhash:	nebraska-pip-quiet-alpha
File name:	SecuriteInfo.com.Variant.Razy.961905.21681.23718
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	135'168 bytes
First seen:	2021-10-12 05:44:23 UTC
Last seen:	2021-10-12 07:01:07 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	0a8e5f9658f839d07c08aa4f38837bac (8 x GuLoader)
ssdeep	3072:yxajFtxQshOX3gZWdfEaO/8hOdnXhWZ2QLqw9mh7ObETDuvTuqZccm+Fp/rFwYU0:CajFXAQZWd/7h
TLSH	T170D3A401E1CEDE66CA06817D0C828357BF9A6E525CD3281B3A5E56C83FEB92173917CD
File icon (PE):
dhash icon	1003873d31213f10 (142 x DarkCloud, 132 x GuLoader, 35 x a310Logger)
Reporter	SecuriteInfoCom
Tags:	exe GuLoader

Intelligence

File Origin

# of uploads :

# of downloads :

170

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Variant.Razy.961905.21681.23718

Verdict:

No threats detected

Analysis date:

2021-10-12 05:47:18 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/03b5018d-71c6-41b1-84c7-5a8e19a5dcb5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/196759/

Detection(s):

SecuriteInfo.com.Variant.Razy.961905.21681.23718.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/616520e0fd35fe780c39e2bb/reports/1102ee93-82ee-42f4-a236-74f09367cc00/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/62675b5b-99d1-44f3-a85e-1f95a1f3c511

Result

Threat name:

GuLoader AgentTesla

Detection:

malicious

Classification:

rans.troj.evad.spre.adwa.spyw

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/868287

Signature

Found malware configuration

GuLoader behavior detected

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides threads from debuggers

Modifies the hosts file

Multi AV Scanner detection for submitted file

Potential malicious icon found

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: RegAsm connects to smtp port

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

guloader

Link:

https://mwdb.cert.pl/sample/811de8503ce4a7cc2bf23387c4841694be046c532ddee322ea8a75fbaa6d0f22/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2021-10-12 05:45:09 UTC

AV detection:

11 of 38 (28.95%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qeo6qub44st4yk7sgod4jbawss7ai3ctfxpogixkrj27xktnb4ra._file

Verdict:

malicious

Label(s):

cloudeye

Result

Malware family:

guloader

Score:

10/10

Tags:

family:guloader downloader

Link:

https://tria.ge/reports/211012-gfqmsabdf4/

Behaviour

Suspicious use of SetWindowsHookEx

Guloader,Cloudeye

Unpacked files

SH256 hash:

811de8503ce4a7cc2bf23387c4841694be046c532ddee322ea8a75fbaa6d0f22

MD5 hash:

9ffcec22d425a19128da17e5b17e9dca

SHA1 hash:

c7b669acb8734a305741bae29c9563546a4652af

Link:

https://www.unpac.me/results/a75888b1-ebaf-479e-9f66-f49299c18456/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/811de8503ce4a7cc2bf23387c4841694be046c532ddee322ea8a75fbaa6d0f22

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/196759/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample