MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 874b31b01660f3185d9395adc891baf865aee503331d6d2ea507c572cfea001e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 874b31b01660f3185d9395adc891baf865aee503331d6d2ea507c572cfea001e
SHA3-384 hash: badf4891226041fa8d91badf905ee45c8fc92f7315650f57034a4f228e82a5c214a0609bb75977fd8f79f3ef67aa0f29
SHA1 hash: b082ddd9802d03d65ea7b49740707243b8026f7d
MD5 hash: eecf4aff1cc567a3288923a801af9f47
humanhash: spaghetti-victor-equal-cup
File name:SecuriteInfo.com.Trojan.GenericKD.61214164.14903.7058
Download: download sample
Signature GuLoader
Create hunting rule
File size:230'560 bytes
First seen:2022-08-09 09:46:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 102 x GuLoader, 64 x DiamondFox)
ssdeep 6144:IgORaLVhqIczhD0GHrL58HgT7bcjv8Y0x3WGX:IgXVhqIK0iMk7bqM3T
Threatray 16'622 similar samples on MalwareBazaar
TLSH T12D3402503658C8A3F9AA597129754BB70EF9A9151872124B33803F6E7E3E3D29E0F743
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f8f0f0fcf472fe08 (1 x GuLoader)
Reporter SecuriteInfoCom
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:Testudos Efteruddanelseskursers Overspeculatively
Issuer:Testudos Efteruddanelseskursers Overspeculatively
Algorithm:sha256WithRSAEncryption
Valid from:2022-08-08T03:31:19Z
Valid to:2025-08-07T03:31:19Z
Serial number: 200af167018e75bb
Thumbprint Algorithm:SHA256
Thumbprint: 0b107acc9a3aa32f7c312d9abf548623811e3b37125153f3090dde69ae64d89f
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
303
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.GenericKD.61214164.14903.7058
Verdict:
Malicious activity
Analysis date:
2022-08-09 09:48:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6aaf24ed-aa41-4e67-8e78-f6693f93dfbb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/297278/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.61214164.14903.7058.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a file
Delayed reading of the file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/28418/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62f22d2a080024921b61de9a/reports/fadb5134-fa4f-4053-bdd3-d9dad3b79958/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/4b88eb9e-8634-4497-9330-8490f52e6ee6
Result
Threat name:
AgentTesla, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1048399
Signature
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected GuLoader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/874b31b01660f3185d9395adc891baf865aee503331d6d2ea507c572cfea001e/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2022-08-08 07:43:22 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
11 of 26 (42.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q5ftdmawmdzrqxmtsww4ren27bs25zidgmow2lvfa7cxft7kaapa._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
0a223aa68af0c2af0baabda61d82748629078720a017ef4836f3322a76cb691a
GuLoader
486d5231a35dc4e4cb3417a1353c300298824a9df98890a100c596e7c1186aa5
GuLoader
799cb4b1d385475c155fae6fc0c214b059f191ed06b9229f287a8d9225ba8a21
GuLoader
951049989eb772c71ec4fa9f0685ab45cae755ca5d34cf3089fd791999fafa1c
GuLoader
cfdcbcca4f75f287d6389cda895571530ddb9a2bbdf54cce52c1c65e969ac0a3
GuLoader
f7f5898bbed2b677a52a031071110b8aebb4b3eba2669703f6dd60e6953dc2a2
GuLoader
+ 16'612 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:guloader collection downloader keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220809-lr7gwsabh5/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious behavior: EnumeratesProcesses
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks QEMU agent file
Loads dropped DLL
AgentTesla
Guloader,Cloudeye
Malware Config
C2 Extraction:
https://api.telegram.org/bot5147163644:AAEDa60jT_0f_OgilwiEp-CBiARVO2Rx3Mo/sendDocument
Unpacked files
SH256 hash:
7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5
MD5 hash:
564bb0373067e1785cba7e4c24aab4bf
SHA1 hash:
7c9416a01d821b10b2eef97b80899d24014d6fc1
Link:
https://www.unpac.me/results/fc83eb32-4fc4-4cb2-9d62-cb1f29f087d0/
SH256 hash:
874b31b01660f3185d9395adc891baf865aee503331d6d2ea507c572cfea001e
MD5 hash:
eecf4aff1cc567a3288923a801af9f47
SHA1 hash:
b082ddd9802d03d65ea7b49740707243b8026f7d
Link:
https://www.unpac.me/results/fc83eb32-4fc4-4cb2-9d62-cb1f29f087d0/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/874b31b01660/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/874b31b01660f3185d9395adc891baf865aee503331d6d2ea507c572cfea001e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/297278/

Comments