MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b9cfefd4ea68622813c00be6fafd0cde7eef1e0c5ef4733e4c1fc830e291a401. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	b9cfefd4ea68622813c00be6fafd0cde7eef1e0c5ef4733e4c1fc830e291a401
SHA3-384 hash:	bbc5607f4020e15e6408cb239e55a9f6e39c7797e0bc9148d021846dc70ab96445dca32c9ad662422752f99af8b8f629
SHA1 hash:	189edc7267e47f41c374b822b45c0d7f635cfb24
MD5 hash:	3509041e7c38f4e6eedf2e4e31be1ced
humanhash:	maryland-venus-indigo-louisiana
File name:	SecuriteInfo.com.Trojan.Inject4.42104.28090.155
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	394'736 bytes
First seen:	2022-09-07 21:30:58 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4f67aeda01a0484282e8c59006b0b352 (51 x GuLoader, 9 x RemcosRAT, 9 x VIPKeylogger)
ssdeep	6144:FGf+q+EeBseeqnf3UCRfeAI3c8r7yZKixzCF8xBH++taIhzpHO35xw:GgseeiUC9UyZfCWje+kguxw
TLSH	T1EA84CF5464A1C4A9C3B00BF12ED2FAB9853C6CE21E0B194FB744FBCE187169D734A35A
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	SecuriteInfoCom
Tags:	exe GuLoader signed

Code Signing Certificate

Organisation:	Relitigation Afledendes Illegitimatizing
Issuer:	Relitigation Afledendes Illegitimatizing
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-06-05T16:50:33Z
Valid to:	2025-06-04T16:50:33Z
Serial number:	-3f1ff538fc798f4b
Thumbprint Algorithm:	SHA256
Thumbprint:	2b62258f5d5c0d01c16315e648227e9c6eb9dd699f916fbda4c4f7b30e849e04
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

446

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Trojan.Inject4.42104.28090.155

Verdict:

Malicious activity

Analysis date:

2022-09-07 21:31:47 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/63d50ce5-2e79-4270-b7a1-4c4785e394ae

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/308596/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.42104.28090.155.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Creating a file

Delayed reading of the file

Searching for the window

Searching for the Windows task manager window

Running batch commands

Creating a process with a hidden window

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/36985/overview

Behaviour

MalwareBazaar

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

buer overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/63190e11d06d9bc4c7a93c7d/reports/26fbee48-318e-4955-be0e-0b212ab8eb7b/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/0efe1c73-7e50-479d-8438-98cbe3947ba0

Result

Threat name:

AgentTesla, GuLoader

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1066779

Signature

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Obfuscated command line found

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected GuLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b9cfefd4ea68622813c00be6fafd0cde7eef1e0c5ef4733e4c1fc830e291a401/

Threat name:

Win32.Trojan.Guloader

Status:

Malicious

First seen:

2022-09-07 07:04:45 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

13 of 26 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xhh67vhknbrcqe6abptpv7im3z7o6hqml32hgpsmd7edbyuruqaq._file

Verdict:

malicious

Result

Malware family:

guloader

Score:

10/10

Tags:

family:guloader downloader

Link:

https://tria.ge/reports/220908-fwthyababk/

Behaviour

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Program Files directory

Loads dropped DLL

Guloader,Cloudeye

Unpacked files

SH256 hash:

98bcd1dd88642f4dd36a300c76ebb1ddfbbbc5bfc7e3b6d7435dc6d6e030c13b

MD5 hash:

b8992e497d57001ddf100f9c397fcef5

SHA1 hash:

e26ddf101a2ec5027975d2909306457c6f61cfbd

Link:

https://www.unpac.me/results/ff0ab919-0760-41fc-a50b-175b099bfced/

SH256 hash:

7fafaf28fa6eb7604c61ef816cdd3e5097a0e17695bef0bf9116b6558aa68967

MD5 hash:

ae164b9dd3591a987b0d71dc255c4654

SHA1 hash:

41198cb28a31a0ffc3d14540e61a4840800681cc

Detections:

win_flawedammyy_auto

Link:

https://www.unpac.me/results/ff0ab919-0760-41fc-a50b-175b099bfced/

Parent samples :

0d9f53718f16418097acb807b8838d71e12c146fd56282e6af61ee619b13543f
b9cfefd4ea68622813c00be6fafd0cde7eef1e0c5ef4733e4c1fc830e291a401
0cb6636748ff6a60ebf1a4644a7b4c877f8a19edd8c7a2eac10b34d1bd7cbfbf
482f10e5f1825368c6cdacf482febf39ed6d035ce866aded813d18890cf86dca
199bd66bf9f7b299ebf9068feb2e8648404097e26f86cabc5462973769d24df5
f2a42302b9c4f3e6c1e2e5d15dfa09cb41aad80ebc13678c4a412f77d4141ca0
ea3c63e01dc18acb8940dbbe5bec6c3cdcb6c117b6a213b9e7e02c11caeabee0
dfee1fc781f6414edcd5fe23fd87e05ff7940ff6f02c409e5f8ba9bbd34b0c04
e67f384ddb1a0b165cbae4c93eec8eb1bd718e51a9ff5d24b0980d867b20c53c
924b0124cf3bab75460848e2beacd4562367d4faf4df3f55c8d9333c6bac69d9
a2be0d024f1ed07193631fd4bcf91b224685a2624a3396dedbed5d071c29889f
95323c9bb093c53279d123225ec3cc23fc4647123f5aa8e24165c0d786302918
3297362893dcf07dc882d828230179304619d53c9c4d24d948638063aef0c3ba
884b8012c2cb8a230edc7b99dc6b3e345977421f5a2434b286ac70d2900de6f6
77c4f594258231719c09648471ba0285615444a0ad942b38384a0beac52003b3
df4287799941b5237770c16ee332ad03f44159df85958583ded5a774496d215f
148237f9c4b6906c80648e003ddacbf53aafcd9dc468d21c7513e217fdac0907
dbb1b72f8b5a3fa401efb17d845e493b38d9cfb6982043fb105911cf50ed2691
8fa0116efbd18a4d7be8be0aae4bdabae5934e86d923f5db6bb8ef3a916b3101
32fe770e37884a2ac6c7b1e58f7d201a74326bae4fd9be175a863d595d2b5e64
aac3fec4d80c553b1363368571f2a81eb024722e1ed15ea467b61114e4f41801
64d0d2e222aa3df131dec45f6b144eb84b53be1225d51d095d162e77ddf6b65e
0466bdb3e90fa7ebd14ce2fb273184ca7440870f95ac0a799a743068db287682
88506eb76f662586301e6ace5b67539d572db820a37a32a0caa86bc699b141de
09056dfe7f32e33b9cc197f32dc69a535172badab6bc3609dc9da6f550805ebe
610a299416691ffe632031628904d8a35598a41e1c11c957edc2701943872c47
fd798f121b63d34deb90349c1c3f5077b5784c6f6741c67f68076bb6521c823b
62d150df842ec71b2b753ea968e0ff12048563e6fb69f6319622c3579ac0384f
2870296df6458543b943f6fbb06d2ad5e45c37741f7520ec0b6c4a3effe2d7d2
32085187f12f0c5e7457941a15907deb585d546eb2ddb97dcae9cc49258f7fcd

SH256 hash:

1ee2a7f624300b44919fc9c9c3210e85b290e8d67af7aada4c7d5ad872b0a7cf

MD5 hash:

38426fb80294933b4162b5af73f5e55c

SHA1 hash:

0cb85f18ed67785787e14d1c2f4af74fb74ba257

Detections:

win_flawedammyy_auto

Link:

https://www.unpac.me/results/ff0ab919-0760-41fc-a50b-175b099bfced/

Parent samples :

SH256 hash:

b9cfefd4ea68622813c00be6fafd0cde7eef1e0c5ef4733e4c1fc830e291a401

MD5 hash:

3509041e7c38f4e6eedf2e4e31be1ced

SHA1 hash:

189edc7267e47f41c374b822b45c0d7f635cfb24

Link:

https://www.unpac.me/results/ff0ab919-0760-41fc-a50b-175b099bfced/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.02

Link:

https://yomi.yoroi.company/submissions/b9cfefd4ea68622813c00be6fafd0cde7eef1e0c5ef4733e4c1fc830e291a401

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Ins_NSIS_Buer_Nov_2020_1 Create hunting rule
Author:	Arkbird_SOLG
Description:	Detect NSIS installer used for Buer loader

Rule name:	win_flawedammyy_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.flawedammyy.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/308596/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample