MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cee7147196a22b811bb317672f544d43d52140d6da8d2843550f8bdd05c08215. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cee7147196a22b811bb317672f544d43d52140d6da8d2843550f8bdd05c08215
SHA3-384 hash: 98f38b045856193814a26ee0d26f6faf74961306a7ec65b77c51b1a3cb183b4984eb6ec11dfdcfcc2cb15bac41799dd9
SHA1 hash: f70e56fc62fea17f9a498bacb575501eb2d251e9
MD5 hash: 8b451285124ecf44536d36b563c6d72a
humanhash: spring-pasta-hot-hot
File name:Inquiry No. EI2022-5008.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:107'976 bytes
First seen:2022-09-07 12:14:54 UTC
Last seen:2022-09-15 12:26:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e221f4f7d36469d53810a4b5f9fc8966 (118 x GuLoader, 28 x RemcosRAT, 21 x Formbook)
ssdeep 3072:IdxNE+Hb+eyz9zII4Sh2De4uNSf+RhQXB6:IW+7+eMjhNZSf4hQU
Threatray 3 similar samples on MalwareBazaar
TLSH T1CDB3E111B6E4887BF6A70E712EB29B72F776B705182047972B105E643E35387DE0C26A
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter lowmal3
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:Tribunernes Suspendibility
Issuer:Tribunernes Suspendibility
Algorithm:sha256WithRSAEncryption
Valid from:2022-02-01T17:45:43Z
Valid to:2025-01-31T17:45:43Z
Serial number: 232f31bafb28ba79
Thumbprint Algorithm:SHA256
Thumbprint: 16e25d005bec5dae0d04e88ac0ecf7946cf297d27608c213d6ee120c4217e9ed
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
362
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Inquiry No. EI2022-5008.exe
Verdict:
Malicious activity
Analysis date:
2022-09-07 12:18:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1602b14f-5220-4500-92da-618d2c19ca97

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/308498/
Detection(s):
SecuriteInfo.com.W32.Trojan.BEJH-8036.6638.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file in the %AppData% subdirectories
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63188b50bdec86ddb45ae04f/reports/d401ac06-e6fb-46b2-a799-5e8a45e8426b/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3ccca8a2-51d7-4e68-bf7f-b57c076a6d6a
Result
Threat name:
AgentTesla, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1066366
Signature
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 698903 Sample: Inquiry No. EI2022-5008.exe Startdate: 07/09/2022 Architecture: WINDOWS Score: 100 24 rimiapparelsltd.com 2->24 26 mail.rimiapparelsltd.com 2->26 32 Multi AV Scanner detection for submitted file 2->32 34 Yara detected GuLoader 2->34 36 Yara detected AgentTesla 2->36 38 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->38 8 Inquiry No. EI2022-5008.exe 1 25 2->8         started        signatures3 process4 file5 22 C:\Users\user\AppData\Local\...\System.dll, PE32 8->22 dropped 40 Writes to foreign memory regions 8->40 42 Tries to detect Any.run 8->42 12 CasPol.exe 11 8->12         started        16 CasPol.exe 8->16         started        18 CasPol.exe 8->18         started        signatures6 process7 dnsIp8 28 163.123.143.208, 49774, 80 ILIGHT-NETUS Reserved 12->28 30 rimiapparelsltd.com 67.222.130.10, 49777, 587 ASN-DISUS United States 12->30 44 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->44 46 Tries to steal Mail credentials (via file / registry access) 12->46 48 Tries to harvest and steal ftp login credentials 12->48 54 2 other signatures 12->54 20 conhost.exe 12->20         started        50 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->50 52 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 16->52 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cee7147196a22b811bb317672f544d43d52140d6da8d2843550f8bdd05c08215/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-09-07 10:03:01 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z3tri4mwuivycg5tc5ts6vcnipkscqgw3kgsqq2vb6f52boaqikq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
1d69bbb633875506188822fca5f2ba36b60821c9ad3e4e801bb56dc7aa58950b
GuLoader
6d43c96f1425abf6538f9b526b768f2fa284dcd9fec93e5b5cf001a4f83fdb89
GuLoader
7d4feff258cc047570614cc192706671e30cfa8fb81f23356f6c2c794ca4e68c
GuLoader
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader discovery downloader
Link:
https://tria.ge/reports/220908-fwnbxsahar/
Behaviour
Enumerates physical storage devices
Checks installed software on the system
Loads dropped DLL
Guloader,Cloudeye
Unpacked files
SH256 hash:
4ff9b2678d698677c5d9732678f9cf53f17290e09d053691aac4cc6e6f595cbe
MD5 hash:
3e6bf00b3ac976122f982ae2aadb1c51
SHA1 hash:
caab188f7fdc84d3fdcb2922edeeb5ed576bd31d
Link:
https://www.unpac.me/results/8f8a7a56-2c49-4364-b8e6-a1b5683728c2/
SH256 hash:
cee7147196a22b811bb317672f544d43d52140d6da8d2843550f8bdd05c08215
MD5 hash:
8b451285124ecf44536d36b563c6d72a
SHA1 hash:
f70e56fc62fea17f9a498bacb575501eb2d251e9
Link:
https://www.unpac.me/results/8f8a7a56-2c49-4364-b8e6-a1b5683728c2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/cee7147196a22b811bb317672f544d43d52140d6da8d2843550f8bdd05c08215

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe cee7147196a22b811bb317672f544d43d52140d6da8d2843550f8bdd05c08215

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/308498/

Comments