MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a057aab2994c9b2d3214e2ebdfa28dcce023546bf7154c8832bd27112c693e86. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a057aab2994c9b2d3214e2ebdfa28dcce023546bf7154c8832bd27112c693e86
SHA3-384 hash: d5585f93e105cbddc6b544f1de5b8410606f284428265c99f2a2d086bddee5cfc9e106b4a04d2ae1531a7eaa6a49071e
SHA1 hash: a162bb997b463eda62d6fbbda2d1cb3df1a3c39b
MD5 hash: e5affde0f5a1c4a9add0486f25a7a84f
humanhash: mirror-beer-ten-fillet
File name:RFQ#467_DECMaT_PRODHangzhou_Zhongniu_Import_Export_pdf.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:429'643 bytes
First seen:2023-12-04 09:12:57 UTC
Last seen:2023-12-04 11:21:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 66fcdd6338ffed276966867e7cf86116 (9 x GuLoader, 2 x AgentTesla, 2 x RemcosRAT)
ssdeep 12288:QaWD2cfgiCZWzsACEPn1bpb5eYErd0CL4rTsv:hWy4HChACCnNpb5eYIBLSa
Threatray 674 similar samples on MalwareBazaar
TLSH T1579423FA2FB584EAE85B8EB464328E57C67790321468920FC7EC7D81B971181DE0DBD1
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 74f4d4d4d498b4d4 (6 x AgentTesla, 2 x RemcosRAT, 1 x PureCrypter)
Reporter abuse_ch
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
3
# of downloads :
308
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/462292/
Detection(s):
SecuriteInfo.com.FileRepMalware.20075.3249.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the Windows directory
Сreating synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Launching a process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control installer lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/656d9824380413dc0c2f8861/reports/04f37866-e147-4d18-bb1e-2fa1b1cb8e3f/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/a057aab2994c9b2d3214e2ebdfa28dcce023546bf7154c8832bd27112c693e86
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d2edab5c-45f0-4a81-830c-8dbc530b3273
Result
Threat name:
AgentTesla, GuLoader
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1352998
Signature
Antivirus detection for URL or domain
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: MSBuild connects to smtp port
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1352998 Sample: RFQ#467_DECMaT_PRODHangzhou... Startdate: 04/12/2023 Architecture: WINDOWS Score: 100 27 server8.apps.ae 2->27 29 ip-api.com 2->29 31 2 other IPs or domains 2->31 43 Snort IDS alert for network traffic 2->43 45 Multi AV Scanner detection for domain / URL 2->45 47 Found malware configuration 2->47 49 7 other signatures 2->49 9 RFQ#467_DECMaT_PRODHangzhou_Zhongniu_Import_Export_pdf.exe 18 39 2->9         started        signatures3 process4 file5 25 C:\Users\user\AppData\Local\...\Indkomsts.Cur, data 9->25 dropped 59 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 9->59 13 powershell.exe 12 9->13         started        signatures6 process7 signatures8 61 Suspicious powershell command line found 13->61 63 Very long command line found 13->63 65 Found suspicious powershell code related to unpacking or dynamic code loading 13->65 16 powershell.exe 15 13->16         started        19 conhost.exe 13->19         started        process9 signatures10 39 Writes to foreign memory regions 16->39 41 Maps a DLL or memory area into another process 16->41 21 MSBuild.exe 15 8 16->21         started        process11 dnsIp12 33 107.150.18.101, 49710, 80 ASN-QUADRANET-GLOBALUS United States 21->33 35 api4.ipify.org 173.231.16.77, 443, 49711 WEBNXUS United States 21->35 37 2 other IPs or domains 21->37 51 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->51 53 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 21->53 55 Tries to steal Mail credentials (via file / registry access) 21->55 57 2 other signatures 21->57 signatures13
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a057aab2994c9b2d3214e2ebdfa28dcce023546bf7154c8832bd27112c693e86
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a057aab2994c9b2d3214e2ebdfa28dcce023546bf7154c8832bd27112c693e86/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2023-12-04 08:14:38 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
13 of 23 (56.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ubl2vmuzjsns2mqu4lv57iunztqcgvdl64kuzcbsxutrcldjh2da._file
Verdict:
unknown
Similar samples:
1c8ba53a0df3d48bd031a348f36b5d75ac78db8d94987a3368a9c49429b47222
GuLoader
26e297f8f4bf5837af4c8b5132598c2eed45245c4f6baf0e8c960ff2a555989e
GuLoader
404a9d49d8522e19080af0cb183134fc058120e30fa38f5b8234eeb583c6f079
GuLoader
5f6366e20fde275710415f996748edb9f1091c0b0e47bf2ddc91a59ecd90d54c
GuLoader
7384dec8a7a13e1709dff93154c0cd796055798a19fe470f30c211a991d46849
GuLoader
87889f8e467ad320665a7205170c8f238076d87303822694d3064b9511913169
GuLoader
afb2d85d5726a65aca9ac9d2e1574ee7da80942db1bbcb4a1594b40339ba84d6
GuLoader
b94bcb3ea1cef8b1759856c06c57264332223216fda926fdb58bc848e5a5494d
GuLoader
e479c0b49b6fe13242fc767e1db58067b61e4c16ff7068d3b39c4d8c2836428f
GuLoader
f68f1af4eb16d6d185899ace2e951c196a80591bde4134cf290e69eea91d5472
GuLoader
+ 664 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:guloader downloader keylogger spyware stealer trojan
Link:
https://tria.ge/reports/231204-k6rjjsab74/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Looks up external IP address via web service
AgentTesla
Guloader,Cloudeye
Unpacked files
SH256 hash:
a057aab2994c9b2d3214e2ebdfa28dcce023546bf7154c8832bd27112c693e86
MD5 hash:
e5affde0f5a1c4a9add0486f25a7a84f
SHA1 hash:
a162bb997b463eda62d6fbbda2d1cb3df1a3c39b
Link:
https://www.unpac.me/results/6f922495-1944-4b82-a939-d4add6753736/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a057aab2994c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a057aab2994c9b2d3214e2ebdfa28dcce023546bf7154c8832bd27112c693e86

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe a057aab2994c9b2d3214e2ebdfa28dcce023546bf7154c8832bd27112c693e86

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/462292/

Comments