MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a770fff46977ee8c18165f11b5346157fbd600f7971428edb46ef048ade479b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	a770fff46977ee8c18165f11b5346157fbd600f7971428edb46ef048ade479b4
SHA3-384 hash:	a5619d51fc1d0a957e0cb1ee0904fb63ad14695123e3e1a83860a2d1b3379515398c5f5c0418ce4ed0290b81d772057f
SHA1 hash:	612793dae2a36229cdacb1ca4ba54c9b56965bb7
MD5 hash:	fa4d06dcdeb83aa3fdebfbfe14ca64d8
humanhash:	nuts-winter-nineteen-undress
File name:	INQUIRY- EUSQ131302.scr
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	525'632 bytes
First seen:	2022-10-12 13:02:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e9c0657252137ac61c1eeeba4c021000 (53 x GuLoader, 26 x RedLineStealer, 17 x AgentTesla)
ssdeep	12288:zSv6ymBW6V/EDp72+AfiCiqRjzPp0vCphiFA4:uvaBJdg72fiCBdPp06LiFA4
Threatray	1'037 similar samples on MalwareBazaar
TLSH	T174B4F1917A82984EE4C95B32C441EE74E7715C392B61C8D3E2A57FAF37332523B9601B
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	8c8c9cb6b6366247 (5 x GuLoader)
Reporter	malwarelabnet
Tags:	exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:	sha256WithRSAEncryption
Valid from:	2021-10-30T05:11:52Z
Valid to:	2024-10-29T05:11:52Z
Serial number:	-03bd5976ca08c08e
Thumbprint Algorithm:	SHA256
Thumbprint:	aea050ec69d3217eb9a1a8869ea74e8d577a51fbdf6f7787b0f1dbb68d7be9ce
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

481

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/319365/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.UGA.20041.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Creating a file in the %temp% directory

Creating a file

Sending a custom TCP request

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/42675/overview

Behaviour

MalwareBazaar

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

buer overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/6346bb089162672e63eece9c/reports/5a21af37-c1bf-4696-bf7e-330d94f671cb/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/4d316bd8-6ca9-460a-9eb3-b38c492a0cd1

Result

Threat name:

AgentTesla, GuLoader

Detection:

malicious

Classification:

troj.evad.spyw

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1088796

Signature

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected GuLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a770fff46977ee8c18165f11b5346157fbd600f7971428edb46ef048ade479b4/

Threat name:

Win32.Trojan.Guloader

Status:

Malicious

First seen:

2022-10-12 01:12:01 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

16 of 42 (38.10%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=u5yp75djo7xiygawl4i3kndbk755mahxs4kcr3nun3yerlpepg2a._file

Verdict:

malicious

Label(s):

cloudeye

GuLoader

194fe792044279124a5e298a697897e99df0dd83f7c51d6bee295b447810531d

GuLoader

1c88f5a9499a54522c8338fb93c326debeb890fb08251ce29fcf19ae7441d11c

GuLoader

23f6c24a5984c1bc1450f2d6eb32f3ece4e52bc275b4e9eea038db9f7f4f7717

GuLoader

38920e6f3a9c5908e9360388f0aa1f65b8e3df46849d758db7e1cdbf84727e3f

GuLoader

4d688c6baec0d972c248f7747f18dc385e67a0fb2b1a5deb70f324b16220780d

GuLoader

5dd8324382a5bcea5859d89a259fc1fb3623f91fa720bc016b372ef2c87cae0c

GuLoader

689ca59de6d01b808fa447086aefd829f18f5b628c279148220188ab95e66cf1

GuLoader

9f6213768398115934da0a8ad4c3a6c021f6faa1103c25bb9d994153b08b9e5e

GuLoader

f3100e1ff79518aafd23f706e705e0c0639c4d76cb42df14a73268ab78aac4e8

GuLoader

+ 1'027 additional samples on MalwareBazaar

Result

Malware family:

guloader

Score:

10/10

Tags:

family:guloader discovery downloader

Link:

https://tria.ge/reports/221012-qacneadegm/

Behaviour

Enumerates physical storage devices

Drops file in Program Files directory

Checks installed software on the system

Loads dropped DLL

Guloader,Cloudeye

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/edac33ec-0a78-4552-a89e-598df76ef303

Unpacked files

SH256 hash:

ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

MD5 hash:

0063d48afe5a0cdc02833145667b6641

SHA1 hash:

e7eb614805d183ecb1127c62decb1a6be1b4f7a8

Link:

https://www.unpac.me/results/270e4a70-a63d-430f-b320-097689f60e1a/

Parent samples :

5312214b15330113f6eab71565e1e3c7d1ee3b59daa6703c271aaf3b192e6809
02fca6ef5d9d8b1eb29f7ac8ea0573b504ea7f06c215e091791653b40fe1329a
cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427
045a7318a9e2e550208c0c7e9fc805068df19fa73823ac3acaa049a46c4045ee
f2a883a0e4b01c72b0f063df3be5a0102e5c8fbaedc39c8d35c632b200599283
dffefbde27442b9095388b1871ffdc101c430b9a814138be4f962328a5b73fde
e0fb60da371912c158861c9660632d58e45cfcff12351cc9e03f497f319eb5de
904f69a4bed3844273cce1676e8920794815af4c1527e560bbc1bc44b5b8457a

SH256 hash:

a770fff46977ee8c18165f11b5346157fbd600f7971428edb46ef048ade479b4

MD5 hash:

fa4d06dcdeb83aa3fdebfbfe14ca64d8

SHA1 hash:

612793dae2a36229cdacb1ca4ba54c9b56965bb7

Link:

https://www.unpac.me/results/270e4a70-a63d-430f-b320-097689f60e1a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/a770fff46977ee8c18165f11b5346157fbd600f7971428edb46ef048ade479b4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Ins_NSIS_Buer_Nov_2020_1 Create hunting rule
Author:	Arkbird_SOLG
Description:	Detect NSIS installer used for Buer loader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/319365/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample