MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9acac2bc60cd65b24257dcd59cba1f79a5d8ebe6b68cffef12968038acd2675. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	a9acac2bc60cd65b24257dcd59cba1f79a5d8ebe6b68cffef12968038acd2675
SHA3-384 hash:	75015f94482ff427bf9aa8f85fc80e49815388e657c1cc72b05d728e347159ffe58ab9d16eaf0d96194493dc24238a98
SHA1 hash:	74187aee526293b2f4079d3ef920a704642fe768
MD5 hash:	5907dff1d78efc94eae6c08342f819fc
humanhash:	sierra-lake-sierra-oregon
File name:	SecuriteInfo.com.W32.Injector.ETRR-2693.10982
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	315'384 bytes
First seen:	2022-09-20 10:18:29 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e2a592076b17ef8bfb48b7e03965a3fc (386 x GuLoader, 59 x RemcosRAT, 44 x VIPKeylogger)
ssdeep	6144:Rhgqhw9oAFPZVheNA+ff0Rx0qYe91GDonGTy3FZWe:kqknhe2e6Obvm/We
Threatray	1'244 similar samples on MalwareBazaar
TLSH	T1B76428A239CA756FDC2F9634035FEAB22A755CE07391096E4F40320D5C36A4A90EEDD7
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	c88604b919c6c6c0 (77 x GuLoader, 10 x Formbook, 8 x AgentTesla)
Reporter	SecuriteInfoCom
Tags:	exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-02-04T06:51:05Z
Valid to:	2025-02-03T06:51:05Z
Serial number:	-43b27d7c4d08ac24
Thumbprint Algorithm:	SHA256
Thumbprint:	1f1cecd6133d2ca2a678491b382626d97d101c2ea23116893b5e04cf2fdfecf2
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

577

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.W32.Injector.ETRR-2693.10982

Verdict:

Malicious activity

Analysis date:

2022-09-20 10:22:13 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/b2baf23c-7a07-4507-856f-03b8d0980eaa

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/311638/

Detection(s):

SecuriteInfo.com.W32.Injector.ETRR-2693.10982.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a window

Creating a file in the %AppData% subdirectories

Sending a custom TCP request

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/38235/overview

Behaviour

MalwareBazaar

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

75%

Tags:

overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/6329939d36ba812561a1fa07/reports/c50614d0-62e7-49e7-9ad4-ea2396f9afd1/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/ba4c64d6-011c-432a-a594-13fd7f81a54a

Result

Threat name:

AgentTesla, GuLoader

Detection:

malicious

Classification:

troj.evad.spyw

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1073620

Signature

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected GuLoader

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a9acac2bc60cd65b24257dcd59cba1f79a5d8ebe6b68cffef12968038acd2675/

Threat name:

Win32.Trojan.Guloader

Status:

Malicious

First seen:

2022-09-20 08:32:25 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 39 (46.15%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vgwkyk6gbtlfwjbfpxgvts5b66nf3dv6nnum77xrffuahcwnez2q._file

Verdict:

malicious

GuLoader

595f2ae803f01eba157b6deff4687380346e15609e43cc05b541b527bb7292eb

GuLoader

5fd8c33a5491be40bb0685430728361feb280f92f318f7f0a327bd63fca86f99

GuLoader

7132f9426f3bbadaedd15c39968640ffc5ad207b3c8f450d642174e2942f09d7

GuLoader

7d99aa5b81da99461aa61d5542cabce7bc5ffedc56cd1c1d9d6e58e242b38802

GuLoader

a18ab93f8c9268841b6cd59842a935651d9267fa2b8f72b2196cf68f7b57df9d

GuLoader

e5653285dfebc9a95f3a866693752e3f0e62ae312aaf054249067e22cf5836a5

GuLoader

f46d8267eb7fe636d2c5183100bc97e4a93b3a21c5d15661a3dc49ae891f621d

GuLoader

+ 1'234 additional samples on MalwareBazaar

Result

Malware family:

guloader

Score:

10/10

Tags:

family:guloader discovery downloader

Link:

https://tria.ge/reports/220920-mchewscfg5/

Behaviour

Enumerates physical storage devices

Checks installed software on the system

Loads dropped DLL

Guloader,Cloudeye

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/207d5c97-d612-4287-878a-4d9785565fe7

Unpacked files

SH256 hash:

a9acac2bc60cd65b24257dcd59cba1f79a5d8ebe6b68cffef12968038acd2675

MD5 hash:

5907dff1d78efc94eae6c08342f819fc

SHA1 hash:

74187aee526293b2f4079d3ef920a704642fe768

Link:

https://www.unpac.me/results/0c85e8a7-89dc-438e-ba09-3d0acfe46968/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/a9acac2bc60cd65b24257dcd59cba1f79a5d8ebe6b68cffef12968038acd2675

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/311638/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample