MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a18ddbcb974723faec3f0bda9244216649786ca41471cc63049999d0408d7009. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a18ddbcb974723faec3f0bda9244216649786ca41471cc63049999d0408d7009
SHA3-384 hash: 46701ac5f50955e24ac6ae2e4de04c1032f390c67a184ac76ba39523d618a67bd7f7da33e5872ab0491538fc0e910e16
SHA1 hash: ece05a0ce3cb7b1524e607121525dce53d5ef362
MD5 hash: 64b2a30bec89e89714b391908fb8ceff
humanhash: double-moon-diet-hydrogen
File name:3,204 USD Swift Bildirimi 12.12.2022.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:653'737 bytes
First seen:2022-12-13 22:55:39 UTC
Last seen:2023-01-06 10:56:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (527 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 12288:5ms7kmH3YwbAD4IzsdumUV7/fXnG4Jbt1YuVQ7MCnC+xYXTC+bkqspoD:0swets4Iz6rU/fXXXWuVQAwxeWE1b
Threatray 203 similar samples on MalwareBazaar
TLSH T130D4127157B1C8CBCCAC0AF44233632A123AC66DAC049E03EEED6D6FBD593581D27659
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon cce8f0f0f0e87112 (7 x GuLoader)
Reporter Anonymous
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
4
# of downloads :
196
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3,204 USD Swift Bildirimi 12.12.2022.exe
Verdict:
Malicious activity
Analysis date:
2022-12-13 22:56:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8355e695-6c08-46ff-a8b0-84d0fd9ddde2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/346049/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.64214864.15358.30404.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% subdirectories
Delayed reading of the file
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/639903039a505ad9423fa885/reports/88706948-5b0f-4bb8-97b9-9637f3d01506/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e28b1f61-f3ad-46b3-88a9-f743432494e8
Result
Threat name:
AgentTesla, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1133857
Signature
Installs a global keyboard hook
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 766581 Sample: 3,204 USD Swift Bildirimi 1... Startdate: 14/12/2022 Architecture: WINDOWS Score: 100 28 mail.gfrabkonline.com 2->28 30 gfrabkonline.com 2->30 32 3 other IPs or domains 2->32 40 Snort IDS alert for network traffic 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected GuLoader 2->44 46 3 other signatures 2->46 8 3,204 USD Swift Bildirimi 12.12.2022.exe 2 34 2->8         started        signatures3 process4 file5 20 C:\Users\user\AppData\Roaming\...\Fluffer.Uig, data 8->20 dropped 22 C:\Users\user\...\plugin-container.exe, PE32+ 8->22 dropped 24 C:\Users\user\AppData\...\ConsolePauser.exe, PE32 8->24 dropped 26 C:\Users\user\AppData\Local\...\System.dll, PE32 8->26 dropped 48 Writes to foreign memory regions 8->48 50 Tries to detect Any.run 8->50 12 CasPol.exe 15 12 8->12         started        16 CasPol.exe 8->16         started        signatures6 process7 dnsIp8 34 gfrabkonline.com 204.12.248.163, 49881, 587 WIIUS United States 12->34 36 api4.ipify.org 173.231.16.76, 443, 49879 WEBNXUS United States 12->36 38 wordpress-363999-2751017.cloudwaysapps.com 178.128.36.26, 443, 49878 DIGITALOCEAN-ASNUS Netherlands 12->38 52 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->52 54 Tries to steal Mail credentials (via file / registry access) 12->54 56 Tries to harvest and steal ftp login credentials 12->56 62 3 other signatures 12->62 18 conhost.exe 12->18         started        58 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->58 60 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 16->60 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a18ddbcb974723faec3f0bda9244216649786ca41471cc63049999d0408d7009/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2022-12-12 17:15:53 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ugg5xs4xi4r7v3b7bpnjerbbmzexq3fecry4yyyetgm5aqenoaeq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
23bdbcc94a910fc7a4873ba666aa18404017514df95a9b1266d3aa233663c3ee
GuLoader
296d3276af7f064b6e29fd453f3273c4fbf7d47d5afa4a2ecb80b594467d85df
GuLoader
6d986cc1bd9fd02c980515b451b918a00568baea36b0ed00113c3e5f993d99d4
GuLoader
9f47ed5d4825d6cf54c46856454b381f0a594dfdaa5027af5dc8379df03bcaa8
GuLoader
d3a66173013a037b63d6ab4eb79916bb7e32cea117a3a12ed823f1f41ee69ce2
GuLoader
d418b33e0f47d43fcc31e623c7c2b581aa9df51fb47a15414a8bb45b009f813b
GuLoader
e504cb27581e7e2bf9f32203245d8a2d00451808a66a641b8e090ebd93a5842d
GuLoader
f6a79144d1ff3fe08c93e756f50d43cba75721426448c17b702cdaa66e29ea7a
GuLoader
+ 193 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/221213-2wntcagh49/
Behaviour
Enumerates physical storage devices
Drops file in Windows directory
Checks installed software on the system
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/46923b07-6ef2-40f1-b917-641792739435
Unpacked files
SH256 hash:
a18ddbcb974723faec3f0bda9244216649786ca41471cc63049999d0408d7009
MD5 hash:
64b2a30bec89e89714b391908fb8ceff
SHA1 hash:
ece05a0ce3cb7b1524e607121525dce53d5ef362
Link:
https://www.unpac.me/results/02b719e3-edea-448a-9ab9-7dfdd3b1105d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.33
Link:
https://yomi.yoroi.company/submissions/a18ddbcb974723faec3f0bda9244216649786ca41471cc63049999d0408d7009

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe a18ddbcb974723faec3f0bda9244216649786ca41471cc63049999d0408d7009

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/346049/

Comments