MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd19d09ab53cc302c33c6ed5461aae7df3d0a62e0666f0b21f873c17c6f9f0fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bd19d09ab53cc302c33c6ed5461aae7df3d0a62e0666f0b21f873c17c6f9f0fd
SHA3-384 hash: b10541100e570bbff5e181cbc86d9da35fc0ad6203471518bd5c2edfdaf9c89782e4d593355666fafeab6ce360cf826b
SHA1 hash: 6436ac0c9b33bebc2b4d401178c953c2186b4fdd
MD5 hash: 67bfe5d71344f091019f9f090ea3d6e6
humanhash: oranges-snake-michigan-maine
File name:HSBC Payment Advice.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:529'336 bytes
First seen:2022-03-08 17:17:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:hYa6zWhrhlrJEbmnbLu42cwVkEsEr6gZgvm27UUNIQ4Cx:hYtKlrJEbOUcBDmLq4Cx
Threatray 9'816 similar samples on MalwareBazaar
TLSH T162B43EB6CEF0D199ECDD9B3964F20CB216577E7EAABC695C5849712222730C39172C0B
File icon (PE):PE icon
dhash icon 2131111155696d6d (2 x Formbook, 1 x GuLoader)
Reporter abuse_ch
Tags:exe GuLoader HSBC signed

Code Signing Certificate

Organisation:Rigsfyrsten
Issuer:Rigsfyrsten
Algorithm:sha256WithRSAEncryption
Valid from:2022-03-08T07:07:38Z
Valid to:2023-03-08T07:07:38Z
Serial number: 00
Intelligence: 325 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Central Blocklist:This certificate is on the Cert Central blocklist
Thumbprint Algorithm:SHA256
Thumbprint: f24d49b3e450928219ad1be2bc30d71ceac5da26035b34f47a5befb68bad9590
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
251
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/248376/
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Launching a process
Creating a process with a hidden window
Creating a window
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/8599/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62279a9edfdfa8501c7b6ff9/reports/51fb989f-19ea-4865-aa8b-0f81718be004/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5a955b79-440d-4d36-921e-a5a1a13db864
Result
Threat name:
AgentTesla GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/952931
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Svchost Process
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 585410 Sample: HSBC Payment Advice.exe Startdate: 08/03/2022 Architecture: WINDOWS Score: 100 32 vashstangeneralsupplies.com 2->32 34 mail.antiigaf.net 2->34 36 antiigaf.net 2->36 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 7 other signatures 2->48 8 HSBC Payment Advice.exe 2 21 2->8         started        12 explorer.exe 2->12         started        signatures3 process4 file5 26 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 8->26 dropped 28 C:\Users\user\AppData\Local\...\System.dll, PE32 8->28 dropped 30 C:\Users\user\AppData\Local\...\LangDLL.dll, PE32 8->30 dropped 50 Writes to foreign memory regions 8->50 52 Tries to detect Any.run 8->52 54 Hides threads from debuggers 8->54 14 CasPol.exe 19 8->14         started        18 CasPol.exe 8->18         started        20 explorer.exe 8->20         started        22 svchost.exe 12->22         started        signatures6 process7 dnsIp8 38 antiigaf.net 192.163.206.80, 26, 49758, 49759 UNIFIEDLAYER-AS-1US United States 14->38 40 vashstangeneralsupplies.com 38.103.241.10, 443, 49741 FHLB-OFUS United States 14->40 56 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->56 58 Tries to steal Mail credentials (via file / registry access) 14->58 60 Tries to harvest and steal ftp login credentials 14->60 66 4 other signatures 14->66 24 conhost.exe 14->24         started        62 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->62 64 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 18->64 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bd19d09ab53cc302c33c6ed5461aae7df3d0a62e0666f0b21f873c17c6f9f0fd/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2022-03-08 07:50:00 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
16 of 27 (59.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xum5bgvvhtbqfqz4n3kumgvopxz5bjroaztpbmq7q46bprxz6d6q._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
1fed413e1cf6bf9886f077ac4ebe4c86b566917bf3b0cd806805acbb89b27558
GuLoader
39cd27e2d57db8bfedfc31413679e5c4cb27274a45c0acb98c0ad81905729ca5
GuLoader
67732ae3efbde55f0ea32af1488f1a430943f4402b1f2ce163058f5ec76146de
GuLoader
892ef7a1974f417377e4b50358b42c68248a4f4c1f393328421ad48e73861640
GuLoader
99f100122f5280ac44bc01f3bb7df9d3bd69681335e5f50d4ddfeca6e8ac3cb1
GuLoader
a319ca95679f9e8a30001a66ec55403a08be8c7398916746baea02c6c6539d02
GuLoader
b57d7de33914f91073e29ac243cc026716b4b4a2ffd3ad9235e407c73fdb4be8
GuLoader
ee23fa71bea1f05017e21b38e7592db6334a0fc4e9e44bb48452b40a4ddf0677
GuLoader
+ 9'806 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:guloader downloader keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220308-vvarrscebm/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks QEMU agent file
Loads dropped DLL
AgentTesla Payload
AgentTesla
Guloader,Cloudeye
Unpacked files
SH256 hash:
1076ca39c449ed1a968021b76ef31f22a5692dfafeea29460e8d970a63c59906
MD5 hash:
675c4948e1efc929edcabfe67148eddd
SHA1 hash:
f5bdd2c4329ed2732ecfe3423c3cc482606eb28e
Link:
https://www.unpac.me/results/998ec0ff-3789-4d56-a34d-4ba28ad05a92/
SH256 hash:
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
MD5 hash:
cff85c549d536f651d4fb8387f1976f2
SHA1 hash:
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
Link:
https://www.unpac.me/results/998ec0ff-3789-4d56-a34d-4ba28ad05a92/
SH256 hash:
18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026
MD5 hash:
68b287f4067ba013e34a1339afdb1ea8
SHA1 hash:
45ad585b3cc8e5a6af7b68f5d8269c97992130b3
Link:
https://www.unpac.me/results/998ec0ff-3789-4d56-a34d-4ba28ad05a92/
SH256 hash:
0b2277d8aaf36e01aca3ae33e227b44bebc541a9c5cef6eb4fef93e96821a6cd
MD5 hash:
b1ba7a8263281244782ca5604876cb2c
SHA1 hash:
b8523dee6d7e74512a05c60cc35c0fddac370252
Link:
https://www.unpac.me/results/998ec0ff-3789-4d56-a34d-4ba28ad05a92/
SH256 hash:
bd19d09ab53cc302c33c6ed5461aae7df3d0a62e0666f0b21f873c17c6f9f0fd
MD5 hash:
67bfe5d71344f091019f9f090ea3d6e6
SHA1 hash:
6436ac0c9b33bebc2b4d401178c953c2186b4fdd
Link:
https://www.unpac.me/results/998ec0ff-3789-4d56-a34d-4ba28ad05a92/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/bd19d09ab53c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bd19d09ab53cc302c33c6ed5461aae7df3d0a62e0666f0b21f873c17c6f9f0fd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/248376/

Comments