MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a68190f559500888abbd58c7b35794837352ac2127fb1dd1553c659eba5015a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a68190f559500888abbd58c7b35794837352ac2127fb1dd1553c659eba5015a3
SHA3-384 hash: 1a16799fe98b5e586fa8b7da05c9521f7c43f8a4f4dde7ffb749d7806afe00438630f342285c91d8326d51b6307d721e
SHA1 hash: a392047560d88d52a62e7a0986f17fe02ee338fe
MD5 hash: 6858cba68df58fad100846db2318d2e3
humanhash: snake-lion-romeo-solar
File name:10_SoA 21.10.22.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:195'080 bytes
First seen:2022-10-29 06:17:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 59a4a44a250c4cf4f2d9de2b3fe5d95f (70 x GuLoader, 13 x AgentTesla, 7 x AZORult)
ssdeep 3072:VDJ0rZo6StCBXJtlIOWCBxfrLZnRiu9RZbEsQs8TbwWeD7nHYlANhx5sh26CQda3:VDSoIKK3G0HEsf8TkWeD7nVnTk2603
Threatray 22 similar samples on MalwareBazaar
TLSH T1B314021A75E46967E83A077158F2DB65B6BFE700692015CB0B618FBE6C30381CA4A1DF
TrID 92.9% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133)
3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
1.1% (.EXE) Win64 Executable (generic) (10523/12/4)
0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter GovCERT_CH
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2022-10-25T06:37:10Z
Valid to:2025-10-24T06:37:10Z
Serial number: -703217f319ca1b89
Thumbprint Algorithm:SHA256
Thumbprint: a3253270b754c58c49b3a7945619e9bf9996914c76d1e0ffa51cda3a52423615
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
664
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
guloader
Create hunting rule
ID:
1
File name:
10_SoA 21.10.22.exe
Verdict:
Malicious activity
Analysis date:
2022-10-29 06:21:13 UTC
Tags:
installer guloader
Link:
https://app.any.run/tasks/569cc0e4-3c3c-4181-95fd-a010d069cf52

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/325761/
Detection(s):
SecuriteInfo.com.Adware.Agent.OKV.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Delayed reading of the file
DNS request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/635cc59c58409ff7bc0c384c/reports/09d531f6-316f-4bb6-a7c6-2ad51b06221c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/bc84f0e1-de53-461b-af58-5264dc794a26
Result
Threat name:
AgentTesla, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.adwa.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1100791
Signature
Creates multiple autostart registry keys
Hides that the sample has been downloaded from the Internet (zone.identifier)
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected GuLoader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 733452 Sample: 10_SoA 21.10.22.exe Startdate: 29/10/2022 Architecture: WINDOWS Score: 100 37 api.telegram.org 2->37 47 Snort IDS alert for network traffic 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 4 other signatures 2->53 8 10_SoA 21.10.22.exe 2 31 2->8         started        12 NXLun.exe 2 2->12         started        14 NXLun.exe 1 2->14         started        signatures3 process4 file5 31 C:\Users\user\AppData\Local\...\System.dll, PE32 8->31 dropped 55 Writes to foreign memory regions 8->55 57 Tries to detect Any.run 8->57 16 CasPol.exe 18 15 8->16         started        21 conhost.exe 12->21         started        23 conhost.exe 14->23         started        signatures6 process7 dnsIp8 33 api.telegram.org 149.154.167.220, 443, 49822 TELEGRAMRU United Kingdom 16->33 35 192.227.183.138, 49817, 80 AS-COLOCROSSINGUS United States 16->35 27 C:\Windows\System32\drivers\etc\hosts, ASCII 16->27 dropped 29 C:\Users\user\AppData\Roaming\...29XLun.exe, PE32 16->29 dropped 39 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->39 41 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->41 43 Tries to steal Mail credentials (via file / registry access) 16->43 45 7 other signatures 16->45 25 conhost.exe 16->25         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a68190f559500888abbd58c7b35794837352ac2127fb1dd1553c659eba5015a3/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-10-25 07:52:42 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
18 of 42 (42.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u2azb5kzkaeirk55ldd3gv4uqnzvflbbe75r3ukvhrsz5osqcwrq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
01402a21670aff5459a82853d36167e0226dec7fac8f1ccc5cb94ac2fe421957
GuLoader
166908f0b9866d84c4a0828b4d664aa4b1049d403ebe90798caa4f4d93b26e00
GuLoader
37c86f121c6f2444ba270e021f0fe141de6dac7cba6267e9a873f72eabb6bbff
GuLoader
43efe491955b4d4d340b18b7de78784276f048d8d5b99f9fff0284d563226286
GuLoader
4ddc7dadc052cd25fdb4171c0ba585cf63bcfc648654bb7da2e2b69ec920a781
GuLoader
65e331380851f9aced88e0aa9e78e70d04131fa073c5278f6e7fbeb0dff82267
GuLoader
6d43c96f1425abf6538f9b526b768f2fa284dcd9fec93e5b5cf001a4f83fdb89
GuLoader
7db5e626c33513029a8c994e929219469a2d4f36bbd9557299d4b8bec1673fc1
GuLoader
913172750585a6984011e58a573a38cd7ed051e2145690cf7a4b53b1ca49725c
GuLoader
a1853750e48152050b5f04f08ba261a37c49fd039435ac4c2683328febd4fa92
GuLoader
+ 12 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/221029-g2l7gseffr/
Behaviour
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Loads dropped DLL
Unpacked files
SH256 hash:
97627cfcc0d9a4f4bd84e0434052ac8ffcf80228d7ff7ed41456f4fc439de7be
MD5 hash:
cb2f7c271f899b3c499441d1f9d166ab
SHA1 hash:
faf02753616da1d4b7f049f8ff4e3625b6be3956
Link:
https://www.unpac.me/results/178b515e-94d5-43bc-9756-5373cc3a7ea4/
SH256 hash:
484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2
MD5 hash:
960a5c48e25cf2bca332e74e11d825c9
SHA1 hash:
da35c6816ace5daf4c6c1d57b93b09a82ecdc876
Link:
https://www.unpac.me/results/178b515e-94d5-43bc-9756-5373cc3a7ea4/
SH256 hash:
a68190f559500888abbd58c7b35794837352ac2127fb1dd1553c659eba5015a3
MD5 hash:
6858cba68df58fad100846db2318d2e3
SHA1 hash:
a392047560d88d52a62e7a0986f17fe02ee338fe
Link:
https://www.unpac.me/results/178b515e-94d5-43bc-9756-5373cc3a7ea4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/a68190f559500888abbd58c7b35794837352ac2127fb1dd1553c659eba5015a3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe a68190f559500888abbd58c7b35794837352ac2127fb1dd1553c659eba5015a3

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/325761/

Comments