MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b06251271462b7ef68d0bcc69258642051c9da6d1d5df95c8e3f031a07906388. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b06251271462b7ef68d0bcc69258642051c9da6d1d5df95c8e3f031a07906388
SHA3-384 hash: 5049e596b495feaf6adce0fa8a7d315c3029d7971e5ac4f91c12841172014326c45b8d075035654601583f4b45d32818
SHA1 hash: 9586b111380efa996b4f3e9ec67f75f62632bbb9
MD5 hash: effd03e2901029b294359d27f92c9c30
humanhash: mike-four-skylark-steak
File name:effd03e2901029b294359d27f92c9c30
Download: download sample
Signature GuLoader
Create hunting rule
File size:247'504 bytes
First seen:2022-02-22 08:57:46 UTC
Last seen:2022-02-22 11:00:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 48e807a7b58ea2b8edb6203daf32ec53 (2 x Smoke Loader, 1 x GuLoader)
ssdeep 3072:j0Wum2MgC/3w5/rQmFZFkRmiLT8wQ62oIm2M7Wa:j0fmRgGgRg/p//ImR73
Threatray 9'453 similar samples on MalwareBazaar
TLSH T1B1346B9BF5214875F1E40ABC6862C04252D42C2426D5A76A7CEAFA7CE9314CD7373E3E
File icon (PE):PE icon
dhash icon 72c2e0e4ce92f278 (7 x Smoke Loader, 2 x GuLoader, 1 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe GuLoader signed

Code Signing Certificate

Organisation:Autoophugge
Issuer:Autoophugge
Algorithm:sha256WithRSAEncryption
Valid from:2022-02-21T21:25:28Z
Valid to:2023-02-21T21:25:28Z
Serial number: 00
Intelligence: 325 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Central Blocklist:This certificate is on the Cert Central blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 7c9995fcf8bcecf26e3483512d3528d0a2ab603cad4aece22143ae85dfaf70bc
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
272
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://karmart-th.com/zzz/enterprise.exe
Verdict:
No threats detected
Analysis date:
2022-02-22 08:35:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a1d6f3e9-b464-416e-8a3f-29a28592d519

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
GuLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/243213/
Detection(s):
PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6214a5a3a2660f3bb9239bd1/reports/bd8e90a1-ee89-4e90-adea-dac4b6980100/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bff07050-105a-404d-b864-487ebb7b80b5
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
evad.troj.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/943772
Signature
Antivirus detection for URL or domain
Found malware configuration
Hides threads from debuggers
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 576251 Sample: v0FZYhAwS2.exe Startdate: 22/02/2022 Architecture: WINDOWS Score: 100 23 karmart-th.com 2->23 25 api.telegram.org 2->25 31 Found malware configuration 2->31 33 Malicious sample detected (through community Yara rule) 2->33 35 Antivirus detection for URL or domain 2->35 37 6 other signatures 2->37 8 v0FZYhAwS2.exe 1 2->8         started        signatures3 process4 signatures5 39 Writes to foreign memory regions 8->39 41 Tries to detect Any.run 8->41 43 Hides threads from debuggers 8->43 11 CasPol.exe 15 11 8->11         started        15 CasPol.exe 8->15         started        17 CasPol.exe 8->17         started        19 CasPol.exe 8->19         started        process6 dnsIp7 27 api.telegram.org 149.154.167.220, 443, 49778 TELEGRAMRU United Kingdom 11->27 29 karmart-th.com 93.189.47.205, 49759, 80 NTCOM-ASRU Russian Federation 11->29 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->45 47 Tries to steal Mail credentials (via file / registry access) 11->47 49 Tries to harvest and steal ftp login credentials 11->49 55 3 other signatures 11->55 21 conhost.exe 11->21         started        51 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->51 53 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 15->53 signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b06251271462b7ef68d0bcc69258642051c9da6d1d5df95c8e3f031a07906388/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-22 06:33:00 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
26 of 43 (60.47%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
2a0fe004390f3ffeb24b9bcd83620426b9c5a3c316801d248767035a072c29a1
GuLoader
672f1abddb1c3470a1ebcbc14e1a2023ba7b385afacb15bfaf0fc6994569301b
GuLoader
820b1216485962fa3501dc8bd02a76bdb821fd7b6ffab858c4ebe135c4246090
GuLoader
bb7206c1e7aa981a59c0adfea068fc8819665495c4023ce9cb06f86456b37eec
GuLoader
c770def66ece0d6100ca50a3b54898be0c177e7d0baddd8803785571f83c1c1a
GuLoader
ce931ede894759cdd518d9dd8f4a9888b7fa3656bd6fa3bc0b66514b985efb5d
GuLoader
d5ca25f68c37ba0a18d0349324b9be079bd85f3a67486bad43c20f745363a475
GuLoader
da71644ee66cad527be192aefdfb9e5c70f0977d111d95e3591c8221aca1ccfc
GuLoader
ddff09f62985a15537bf510e1b95a0e31b5714a498c050671df0325802a7f3e9
GuLoader
fb347f1dbbd110cf5a15d429a59efd312a7a70e686dbcde9ddc433f536e02fe1
GuLoader
+ 9'443 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:guloader downloader keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220222-kw6wgsgafr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks QEMU agent file
AgentTesla Payload
AgentTesla
Guloader,Cloudeye
Malware Config
C2 Extraction:
https://api.telegram.org/bot5013020608:AAFu_btAZRcQ9V-SvEIxL9rCbb_x1A-9IJo/sendDocument
Unpacked files
SH256 hash:
b06251271462b7ef68d0bcc69258642051c9da6d1d5df95c8e3f031a07906388
MD5 hash:
effd03e2901029b294359d27f92c9c30
SHA1 hash:
9586b111380efa996b4f3e9ec67f75f62632bbb9
Link:
https://www.unpac.me/results/43243538-5f8b-42db-bc22-e98d4fed6372/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/b06251271462/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/b06251271462b7ef68d0bcc69258642051c9da6d1d5df95c8e3f031a07906388

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe b06251271462b7ef68d0bcc69258642051c9da6d1d5df95c8e3f031a07906388

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2051997/
Cape
Cape
https://www.capesandbox.com/analysis/243213/

Comments


Avatar
zbet commented on 2022-02-22 08:57:47 UTC

url : hxxp://karmart-th.com/zzz/enterprise.exe