MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 913172750585a6984011e58a573a38cd7ed051e2145690cf7a4b53b1ca49725c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 913172750585a6984011e58a573a38cd7ed051e2145690cf7a4b53b1ca49725c
SHA3-384 hash: 98c4a432d74560df2fc7e61950b3a182f1f9e0184a12c862bbc4789a43b22961e2a188530b30e587511b3f1e17c374ac
SHA1 hash: 683d62a0b110cb63c830f4dcce9307a7307f464f
MD5 hash: 127c53b70ff9aaaf99b674fd02bc03e7
humanhash: bluebird-oranges-ack-low
File name:SecuriteInfo.com.Win32.SuspectCrc.16905
Download: download sample
Signature GuLoader
Create hunting rule
File size:681'041 bytes
First seen:2022-09-28 10:27:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e221f4f7d36469d53810a4b5f9fc8966 (118 x GuLoader, 28 x RemcosRAT, 21 x Formbook)
ssdeep 12288:ZtesNpGjZF6vL5am1eIP1x5qpg5NuyAisDSdB2V5wN:+sTGjZEa8DWg5rAny
Threatray 72 similar samples on MalwareBazaar
TLSH T142E4E0237740DCC6D9E404BD6462C7A6E7E1ACA7CB51592671A9FF2B543C303060BEBA
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e0c290d08cdce878 (1 x GuLoader)
Reporter SecuriteInfoCom
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
343
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/314308/
Detection(s):
SecuriteInfo.com.Win32.SuspectCrc.16905.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file in the %AppData% subdirectories
Delayed reading of the file
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
guloader overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/633421b55c60ccc9fcfe7461/reports/c4d6d80e-c229-49b3-8903-84921b2f3c82/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/afb8d58b-6207-4c20-b8c6-b098c805f79a
Result
Threat name:
AgentTesla, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1079134
Signature
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample is not signed and drops a device driver
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 711691 Sample: SecuriteInfo.com.Win32.Susp... Startdate: 28/09/2022 Architecture: WINDOWS Score: 100 26 acbcr.ro 2->26 28 pogba2000.ml 2->28 30 ftp.acbcr.ro 2->30 36 Snort IDS alert for network traffic 2->36 38 Antivirus detection for URL or domain 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 3 other signatures 2->42 8 SecuriteInfo.com.Win32.SuspectCrc.16905.exe 1 68 2->8         started        signatures3 process4 file5 18 C:\Users\user\AppData\Roaming\...\vfsstat.dll, PE32+ 8->18 dropped 20 C:\Users\user\AppData\...\uTMPVImporter.dll, PE32 8->20 dropped 22 C:\Users\user\AppData\...\uFATImporter.dll, PE32 8->22 dropped 24 10 other files (none is malicious) 8->24 dropped 44 Writes to foreign memory regions 8->44 46 Tries to detect Any.run 8->46 48 Sample is not signed and drops a device driver 8->48 12 CasPol.exe 15 11 8->12         started        signatures6 process7 dnsIp8 32 acbcr.ro 188.241.74.68, 21, 36064, 49830 TELECABLU-ASNRO Romania 12->32 34 pogba2000.ml 162.241.69.192, 443, 49829 UNIFIEDLAYER-AS-1US United States 12->34 50 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->50 52 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->52 54 Tries to steal Mail credentials (via file / registry access) 12->54 56 4 other signatures 12->56 16 conhost.exe 12->16         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/913172750585a6984011e58a573a38cd7ed051e2145690cf7a4b53b1ca49725c/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2022-09-28 04:35:47 UTC
File Type:
PE (Exe)
Extracted files:
65
AV detection:
3 of 26 (11.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=seyxe5ifqwtjqqar4wffooryzv7naupccrljbt32jnj3dssjojoa._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
32734437ca16d5bf5babbbe8dfe93dfdc953418dcd53cde0b7fe55b6c69fc3b4
GuLoader
55193fc2ef8da805e9c4d8cb73eeb0647c1bac3bb3f2ec3d7e692c7e92957e2b
GuLoader
6d43c96f1425abf6538f9b526b768f2fa284dcd9fec93e5b5cf001a4f83fdb89
GuLoader
7008badd4657d999591cf125d279dfab990d98023c79639d295eedc724e99a8f
GuLoader
83518c2b2a13ca64460e8afe178e55fc4f18822c906e5aabe1b33ee0285bb252
GuLoader
ba99bed9890c619411129e8902aaaf4f65a68c77735a577f8a85428e4f4167e5
GuLoader
cee7147196a22b811bb317672f544d43d52140d6da8d2843550f8bdd05c08215
GuLoader
fd33391adfb88576dee3e3e013521660cb15f80d51552343027d5d5bf1b6f01d
GuLoader
+ 62 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/220928-mhn5maffa5/
Behaviour
Enumerates physical storage devices
Drops file in Windows directory
Loads dropped DLL
Guloader,Cloudeye
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9f8e88a0-dd4b-4efa-9e5c-bf1f1a84f697
Unpacked files
SH256 hash:
896853468fc0dd9cf8a09ac79e7a79f687ecd4275581073c7a391cb1aab1e209
MD5 hash:
55212718b847e6adaa81e3b2a76da80e
SHA1 hash:
f92a684e7102603f8a52d201b75df4fe4ef42a3e
Link:
https://www.unpac.me/results/45f1ddd6-ff05-47cb-a61c-e6f991a98c4e/
SH256 hash:
c8ebf1983f2e93907d8102bfd0b2e9a0a86905ec757c3c44ead55c2021878439
MD5 hash:
fdaf88656b943e4398c042acd58a5204
SHA1 hash:
c6eda55b3cb11e00bf0d9b70243e95d232fa6178
Link:
https://www.unpac.me/results/45f1ddd6-ff05-47cb-a61c-e6f991a98c4e/
SH256 hash:
4f937478a780f469439783292884d4c8b741cfeb29312bd96d3e3eecc7a5eefa
MD5 hash:
2fa56218c2ee49e14f76e75f94f3ae99
SHA1 hash:
b2e88714556f47421710d3b7e18cbcbdc421bc6f
Link:
https://www.unpac.me/results/45f1ddd6-ff05-47cb-a61c-e6f991a98c4e/
SH256 hash:
3395165fcd2e36919bfb6e675be92bb5501bb400e636a2f38a2ad83838c09528
MD5 hash:
efeb10317d13bd22fcf488c67ddb94a4
SHA1 hash:
a78c70ddce511337449bc7873f3ea4ee573a1a69
Link:
https://www.unpac.me/results/45f1ddd6-ff05-47cb-a61c-e6f991a98c4e/
SH256 hash:
414f73ef360f806c1fc61aa97fe096df016a23d07ded23f165ea25f15b8b5d61
MD5 hash:
e9371409deb1adec878b7034efcfb34d
SHA1 hash:
a0ffbcac0b6624828124ebb4dd61b3b196f2ef35
Link:
https://www.unpac.me/results/45f1ddd6-ff05-47cb-a61c-e6f991a98c4e/
SH256 hash:
5a1c20a3e2e2eb182976977669f2c5d9f3104477e98f74d69d2434e79b92fdc3
MD5 hash:
7399323923e3946fe9140132ac388132
SHA1 hash:
728257d06c452449b1241769b459f091aabcffc5
Link:
https://www.unpac.me/results/45f1ddd6-ff05-47cb-a61c-e6f991a98c4e/
SH256 hash:
e5833465f31ec6d0df2a249280ee229862f55413a9c99edd666fed47344315cf
MD5 hash:
7c3d79e4d4b4751ffe78ec68221565f4
SHA1 hash:
6aebe07d0a17534fb2d6e1ef8a09f3919ee6da72
Link:
https://www.unpac.me/results/45f1ddd6-ff05-47cb-a61c-e6f991a98c4e/
SH256 hash:
13674c90d4c98376d509beb8e81e61daba16d6c66492238746777ff88cd1d6a5
MD5 hash:
6e6d146807eeb6c2b0d0349a3b6157ad
SHA1 hash:
5eeff5fc7e5a269a33f5f110e766af66230c4bbe
Link:
https://www.unpac.me/results/45f1ddd6-ff05-47cb-a61c-e6f991a98c4e/
SH256 hash:
82020508a8540b0b71afbf654cbf7a8ab085c8918b6de08fbd0c89e9484a8967
MD5 hash:
f42ef6011b6e9c5d966913ab60dc80ee
SHA1 hash:
4226a5aafb8db24bae6b0f263079a6d3167de0fa
Link:
https://www.unpac.me/results/45f1ddd6-ff05-47cb-a61c-e6f991a98c4e/
SH256 hash:
b6accc77866e129fe0eb86d2664bd6af8b18ff5c5bc17cb34fda406842f6ff6d
MD5 hash:
02990ee1b02ec52e8eb904fa38148eba
SHA1 hash:
335dd0eb7093af75919ecfe231e4578cc5b34a25
Link:
https://www.unpac.me/results/45f1ddd6-ff05-47cb-a61c-e6f991a98c4e/
SH256 hash:
913172750585a6984011e58a573a38cd7ed051e2145690cf7a4b53b1ca49725c
MD5 hash:
127c53b70ff9aaaf99b674fd02bc03e7
SHA1 hash:
683d62a0b110cb63c830f4dcce9307a7307f464f
Link:
https://www.unpac.me/results/45f1ddd6-ff05-47cb-a61c-e6f991a98c4e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.83
Link:
https://yomi.yoroi.company/submissions/913172750585a6984011e58a573a38cd7ed051e2145690cf7a4b53b1ca49725c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/314308/

Comments