MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 889a4438087185a1fde0f03e7cd63429784cb000b31ec1121155528eb8213892. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	889a4438087185a1fde0f03e7cd63429784cb000b31ec1121155528eb8213892
SHA3-384 hash:	122e83dfcb174f6f030d7987019a80ac374f69accb2ba632625f9b91819b4fd8c6532a2cf63dc450e546e1986e23f647
SHA1 hash:	15901b9eb1e65627e55c3265fc80930126736f02
MD5 hash:	68d6e43ad003e769f8107a98b109eb4b
humanhash:	diet-indigo-wyoming-papa
File name:	new order- PO098432.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	107'248 bytes
First seen:	2022-10-11 14:11:34 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b40f29cd171eb54c01b1dd2683c9c26b (45 x GuLoader, 16 x RemcosRAT, 15 x VIPKeylogger)
ssdeep	3072:bsBD6HJfcDDXJ8vzUUu+WgRFx4KHjfw1H7Q+yoAxh:bPpKCgU7ZhfIm+yo8
Threatray	17 similar samples on MalwareBazaar
TLSH	T1A3A3F10A67D0DCBBF9F207B1067AFB7BF379A6811650520B9F148E733E006935A661D2
TrID	92.9% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133) 3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 1.1% (.EXE) Win64 Executable (generic) (10523/12/4) 0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	malwarelabnet
Tags:	exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:	sha256WithRSAEncryption
Valid from:	2021-12-06T14:39:17Z
Valid to:	2024-12-05T14:39:17Z
Serial number:	454e58889a2c728f
Thumbprint Algorithm:	SHA256
Thumbprint:	5340403a2e59e30db058e3feebfbdb76a7efbb2c45e69a00d356ad7319ae09df
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

354

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/318978/

Detection(s):

SecuriteInfo.com.TR.Drop.Agent.134141.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Creating a file

Creating a file in the %temp% subdirectories

DNS request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/634579b35cada2cbc6eb932a/reports/c6592796-bf59-4181-9c70-edddaa842086/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/bc89b243-e0ad-436b-a7cb-4391f9ff7b7b

Result

Threat name:

AgentTesla, GuLoader

Detection:

malicious

Classification:

troj.evad.spyw

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1088117

Signature

Initial sample is a PE file and has a suspicious name

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected GuLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/889a4438087185a1fde0f03e7cd63429784cb000b31ec1121155528eb8213892/

Threat name:

Win32.Trojan.Guloader

Status:

Malicious

First seen:

2022-10-11 11:26:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 40 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rcneioaiogc2d7pa6a7hzvruff4ezmaawmpmceqrkvji5obbhcja._file

Verdict:

malicious

Label(s):

cloudeye

GuLoader

41810fd3481f8d4ccfb45fddc97fef5ccdff10af555a2c1fa239c541d3fd16a3

GuLoader

66ae6865937b8fe4ba36324e6a5791b764f6e1f1ff58e74b7e0ce6e8059b70e3

GuLoader

8eb45eae1bf18d642ec8a747887ce69f700398f833eae0f8843efabfdce9a1b8

GuLoader

a86978784d7010ead01a68d2ac9c10607d9b2ad7fd2881721eba2c4ce06ae381

GuLoader

c6ba807010aec7a25ad106d9bce0f3b70d9c3d2223e93344cf5fad10ed1eedd3

GuLoader

ce78f61027853d32187067837979c084422c5d89e39ec74d3b2c0318e2b5174e

GuLoader

d83e3f5b248bc0b1676bb081cd50e8df0dd600f4b9253465aa6ed63f263cfd19

GuLoader

+ 7 additional samples on MalwareBazaar

Result

Malware family:

guloader

Score:

10/10

Tags:

family:guloader downloader

Link:

https://tria.ge/reports/221011-rht34ahcc9/

Behaviour

Enumerates physical storage devices

Drops file in Windows directory

Drops file in System32 directory

Loads dropped DLL

Guloader,Cloudeye

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/715771bf-40d7-44d6-9eb9-5684ffb8234e

Unpacked files

SH256 hash:

b9631423a50c666faf2cc6901c5a8d6eb2fecd306fdd2524256b7e2e37b251c2

MD5 hash:

6ad39193ed20078aa1b23c33a1e48859

SHA1 hash:

95e70e4f47aa1689cc08afbdaef3ec323b5342fa

Link:

https://www.unpac.me/results/ea94532e-85af-40f5-a042-afccfaf0c7f2/

SH256 hash:

889a4438087185a1fde0f03e7cd63429784cb000b31ec1121155528eb8213892

MD5 hash:

68d6e43ad003e769f8107a98b109eb4b

SHA1 hash:

15901b9eb1e65627e55c3265fc80930126736f02

Link:

https://www.unpac.me/results/ea94532e-85af-40f5-a042-afccfaf0c7f2/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/889a4438087185a1fde0f03e7cd63429784cb000b31ec1121155528eb8213892

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/318978/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample