MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 afb2d85d5726a65aca9ac9d2e1574ee7da80942db1bbcb4a1594b40339ba84d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: afb2d85d5726a65aca9ac9d2e1574ee7da80942db1bbcb4a1594b40339ba84d6
SHA3-384 hash: 733049df6e3b017fc2d49213a85733dbdc343757b326d28b2d4548211e138afd2e8dacd3bfac35f48d57f2e5d101bc2b
SHA1 hash: cf2937ec03ccf4d4a890c8574e4b876fe78e6107
MD5 hash: 99ad1aa85e9323bef378e04492287bef
humanhash: beryllium-glucose-item-uniform
File name:order confirm PDF.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:255'592 bytes
First seen:2023-11-28 06:50:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e871f39e81b4aa977737b07cee050825 (15 x GuLoader, 3 x Formbook, 2 x RemcosRAT)
ssdeep 6144:ik62PBHbeKG9nfsIKeUI/NouVhcWx6PVvMGP3fICY:fpanK4bPcWIPVvMG4z
TLSH T1E6441266959481E2FFB7057078BBA767AFBC2F10F4B07703BBA059076C632456D0E0A9
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2023-05-21T03:28:18Z
Valid to:2026-05-20T03:28:18Z
Serial number: 15c11d6266f52da7dcfec6450a2f9271ae5f7db9
Thumbprint Algorithm:SHA256
Thumbprint: 8aefe26511a09788325ca45b68672ef33d76d6a49d1df20c777e9c93fd2679e6
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
307
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/460855/
Detection(s):
Win.Trojan.Guloader-10008146-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Sending a custom TCP request
Searching for the window
Delayed reading of the file
Creating a file
Creating a file in the Windows subdirectories
Creating a file in the %temp% subdirectories
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control installer lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/65658dd72efa450749ab14ce/reports/8bdd1023-9481-41ca-9d0a-44f7f961b281/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/afb2d85d5726a65aca9ac9d2e1574ee7da80942db1bbcb4a1594b40339ba84d6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b2a8cc4e-025f-4141-9773-46dea90ea2f8
Result
Threat name:
GuLoader, AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spre.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1349072
Signature
Found malware configuration
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: MSBuild connects to smtp port
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/afb2d85d5726a65aca9ac9d2e1574ee7da80942db1bbcb4a1594b40339ba84d6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/afb2d85d5726a65aca9ac9d2e1574ee7da80942db1bbcb4a1594b40339ba84d6/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2023-11-28 06:00:27 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
16 of 37 (43.24%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v6znqxkxe2tfvsu2zhjocv2o47nibfbnwg54wsqvss2agon2qtla._file
Verdict:
malicious
Label(s):
agenttesla_v4
Create hunting rule
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:guloader downloader keylogger spyware stealer trojan
Link:
https://tria.ge/reports/231128-hmg5nafg88/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Looks up external IP address via web service
Loads dropped DLL
AgentTesla
Guloader,Cloudeye
Unpacked files
SH256 hash:
b170d492cedc29719d27092c29ae1c71bc0b4d9c7df5707b44ac748bc394967f
MD5 hash:
f294cfefcf2f306696944427ef551de5
SHA1 hash:
6ae91bc7706e0dc0e882f2648277ffc9437a5f8b
Link:
https://www.unpac.me/results/d2fb32c8-ace1-48df-b372-5ce8a6c22c21/
SH256 hash:
e32b35cde7c6e2c967445de92884684db7fda506ea52b9aaa74c1a33dd2fdfe6
MD5 hash:
55f18cafe28167995629fdeae4f07bdf
SHA1 hash:
a6bd9310f4408c86149993d1e8833d35dd16bb23
Link:
https://www.unpac.me/results/d2fb32c8-ace1-48df-b372-5ce8a6c22c21/
SH256 hash:
afb2d85d5726a65aca9ac9d2e1574ee7da80942db1bbcb4a1594b40339ba84d6
MD5 hash:
99ad1aa85e9323bef378e04492287bef
SHA1 hash:
cf2937ec03ccf4d4a890c8574e4b876fe78e6107
Link:
https://www.unpac.me/results/d2fb32c8-ace1-48df-b372-5ce8a6c22c21/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/afb2d85d5726/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/afb2d85d5726a65aca9ac9d2e1574ee7da80942db1bbcb4a1594b40339ba84d6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe afb2d85d5726a65aca9ac9d2e1574ee7da80942db1bbcb4a1594b40339ba84d6

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/460855/

Comments