MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1853750e48152050b5f04f08ba261a37c49fd039435ac4c2683328febd4fa92. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a1853750e48152050b5f04f08ba261a37c49fd039435ac4c2683328febd4fa92
SHA3-384 hash: aa79669ae88790ac5b74ff493755c00a3261931059ccb428d11992c902c017e58e52d27232b6fcdc66777330711ef946
SHA1 hash: b7d9acdf8e88d1370518326f699cceb56c1fb004
MD5 hash: d0c763c5bc164642ef31a3ff60bc3333
humanhash: kilo-football-mike-freddie
File name:SecuriteInfo.com.Generic.ML.PUA.1084.32521
Download: download sample
Signature GuLoader
Create hunting rule
File size:332'216 bytes
First seen:2022-10-10 09:27:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 59a4a44a250c4cf4f2d9de2b3fe5d95f (70 x GuLoader, 13 x AgentTesla, 7 x AZORult)
ssdeep 3072:Zc29Tp9pltdXJQxh0VqBoU3LAzfbAYgjNmRT4aaRnCHWPBgQ3gHylDSe1YSJ9LxG:ZcQ9zOWVqB0f6YJEnCHWPRaydSEJJ9A
Threatray 13 similar samples on MalwareBazaar
TLSH T1F3648CD2F11045EDEC6A1B72642B4CA609A32CBDD6B8D14C71F977222BF72A3401E95F
TrID 92.9% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133)
3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
1.1% (.EXE) Win64 Executable (generic) (10523/12/4)
0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 068f0b2a2b363f06 (19 x SnakeKeylogger, 8 x AgentTesla, 8 x MassLogger)
Reporter SecuriteInfoCom
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2022-07-13T13:39:44Z
Valid to:2025-07-12T13:39:44Z
Serial number: 2ed8a120c25d8d7a
Thumbprint Algorithm:SHA256
Thumbprint: 2a507c783a411fd800370585f77933b3baa2fc2283c74df9361efc32a8aecfb2
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
322
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/318292/
Detection(s):
SecuriteInfo.com.Generic.ML.PUA.1084.32521.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file in the %AppData% subdirectories
Searching for the window
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
bladabindi njrat overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6343e5a381eef2a234c4b0ba/reports/4e0818a8-7ce9-48ff-b17f-d754aad7a3a8/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/fa106b9f-838c-4ddc-81aa-10b369bc2a7a
Result
Threat name:
DarkCloud, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1086774
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
DLL side loading technique detected
Drops PE files to the user root directory
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Writes or reads registry keys via WMI
Yara detected DarkCloud
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 719331 Sample: SecuriteInfo.com.Generic.ML... Startdate: 10/10/2022 Architecture: WINDOWS Score: 100 42 usmaniassociates.com 2->42 44 showip.net 2->44 54 Malicious sample detected (through community Yara rule) 2->54 56 Antivirus detection for URL or domain 2->56 58 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->58 60 5 other signatures 2->60 10 SecuriteInfo.com.Generic.ML.PUA.1084.32521.exe 2 23 2->10         started        signatures3 process4 file5 36 C:\Users\user\AppData\Local\...\System.dll, PE32 10->36 dropped 76 Drops PE files to the user root directory 10->76 78 Tries to detect Any.run 10->78 80 Writes or reads registry keys via WMI 10->80 14 SecuriteInfo.com.Generic.ML.PUA.1084.32521.exe 2 20 10->14         started        signatures6 process7 dnsIp8 46 usmaniassociates.com 72.18.132.49, 443, 49840 WEHOSTWEBSITES-COMUS United States 14->46 48 showip.net 162.55.60.2, 49842, 80 ACPCA United States 14->48 38 C:\Users\user\AppData\...\ConsoleApp1.exe, PE32 14->38 dropped 40 C:\Users\Public\vbsqlite3.dll, PE32 14->40 dropped 50 Tries to harvest and steal browser information (history, passwords, etc) 14->50 52 Tries to detect Any.run 14->52 19 ConsoleApp1.exe 10 14->19         started        file9 signatures10 process11 signatures12 62 Antivirus detection for dropped file 19->62 64 Multi AV Scanner detection for dropped file 19->64 66 Machine Learning detection for dropped file 19->66 22 credentials.exe 2 19->22         started        25 csc.exe 5 19->25         started        process13 file14 68 Antivirus detection for dropped file 22->68 70 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->70 72 Machine Learning detection for dropped file 22->72 28 conhost.exe 22->28         started        34 C:\Users\user\AppData\...\credentials.exe, PE32 25->34 dropped 74 DLL side loading technique detected 25->74 30 conhost.exe 25->30         started        32 cvtres.exe 1 25->32         started        signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a1853750e48152050b5f04f08ba261a37c49fd039435ac4c2683328febd4fa92/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2022-10-10 06:11:28 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
13 of 26 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ugctouheqfjakc27atyixitbun6et7idsq22ytbgqmzi726u7kja._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
166908f0b9866d84c4a0828b4d664aa4b1049d403ebe90798caa4f4d93b26e00
GuLoader
32734437ca16d5bf5babbbe8dfe93dfdc953418dcd53cde0b7fe55b6c69fc3b4
GuLoader
55193fc2ef8da805e9c4d8cb73eeb0647c1bac3bb3f2ec3d7e692c7e92957e2b
GuLoader
6d43c96f1425abf6538f9b526b768f2fa284dcd9fec93e5b5cf001a4f83fdb89
GuLoader
83518c2b2a13ca64460e8afe178e55fc4f18822c906e5aabe1b33ee0285bb252
GuLoader
913172750585a6984011e58a573a38cd7ed051e2145690cf7a4b53b1ca49725c
GuLoader
ba99bed9890c619411129e8902aaaf4f65a68c77735a577f8a85428e4f4167e5
GuLoader
cee7147196a22b811bb317672f544d43d52140d6da8d2843550f8bdd05c08215
GuLoader
+ 3 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader discovery downloader
Link:
https://tria.ge/reports/221010-lfbk3sbedp/
Behaviour
Enumerates physical storage devices
Drops file in Windows directory
Checks installed software on the system
Loads dropped DLL
Guloader,Cloudeye
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/615f34a5-55c1-44a7-9001-5d1c9f129281
Unpacked files
SH256 hash:
b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1
MD5 hash:
6f5257c0b8c0ef4d440f4f4fce85fb1b
SHA1 hash:
b6ac111dfb0d1fc75ad09c56bde7830232395785
Link:
https://www.unpac.me/results/5185e1fe-9eba-4614-b261-9bdde23ae8e6/
SH256 hash:
a1853750e48152050b5f04f08ba261a37c49fd039435ac4c2683328febd4fa92
MD5 hash:
d0c763c5bc164642ef31a3ff60bc3333
SHA1 hash:
b7d9acdf8e88d1370518326f699cceb56c1fb004
Link:
https://www.unpac.me/results/5185e1fe-9eba-4614-b261-9bdde23ae8e6/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a1853750e481/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a1853750e48152050b5f04f08ba261a37c49fd039435ac4c2683328febd4fa92

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/318292/

Comments