MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d21df5305629a7f20a524ef0969ad316678db119dcd6dbfa3732bf5b30ccd282. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d21df5305629a7f20a524ef0969ad316678db119dcd6dbfa3732bf5b30ccd282
SHA3-384 hash: 84857027d2c714d3d555b08b5bd38bae56b6d01c394988092f147f85091bd00d0bcc0f2a72cbb969568232cef33681cd
SHA1 hash: 854f2c562142f487ee80c703b314a4e4e9fd3192
MD5 hash: 40f2e33203ca34bde4ff393cd29460ea
humanhash: cardinal-dakota-jersey-fourteen
File name:QUOTE.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:372'007 bytes
First seen:2024-03-18 13:17:44 UTC
Last seen:2024-03-18 15:29:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (720 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 6144:5XCKG5HEV9D0BUoulznBzrezPLBqt3BvNa4DmBVLmQrrPVp5+blFfBSgwN:5Xc22BUouBnVrezPaRvN/mDLmgrNp+pw
Threatray 34 similar samples on MalwareBazaar
TLSH T10F841310B3B1D6A7DCA20F336E3753639A769C239965131B234129EDAD732426E1F31B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter adrian__luca
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
328
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d21df5305629a7f20a524ef0969ad316678db119dcd6dbfa3732bf5b30ccd282.exe
Verdict:
Suspicious activity
Analysis date:
2024-03-18 13:27:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f06e7286-1103-4e8b-b5a6-9e77e5e741df

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.4432.17437.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Launching a process
Running batch commands
Using the Windows Management Instrumentation requests
Moving a file to the Program Files subdirectory
Replacing files
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
guloader installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65f83f2c87137159d448db72/reports/14d018cd-2b25-434f-bb01-781c64a5a774/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/d21df5305629a7f20a524ef0969ad316678db119dcd6dbfa3732bf5b30ccd282
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ac9f0adf-59e6-4fa5-bbc9-421257e5e320
Result
Threat name:
AgentTesla, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1410979
Signature
Antivirus detection for URL or domain
Found malware configuration
Hides threads from debuggers
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Powershell drops PE file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1410979 Sample: QUOTE.exe Startdate: 18/03/2024 Architecture: WINDOWS Score: 100 34 smtp.gmail.com 2->34 36 lo7.za.com 2->36 38 api.ipify.org 2->38 48 Found malware configuration 2->48 50 Antivirus detection for URL or domain 2->50 52 Multi AV Scanner detection for dropped file 2->52 54 7 other signatures 2->54 8 QUOTE.exe 23 2->8         started        signatures3 process4 file5 24 C:\Users\user\AppData\...24otifikation.lig, ASCII 8->24 dropped 56 Suspicious powershell command line found 8->56 12 powershell.exe 20 8->12         started        signatures6 process7 file8 26 C:\Users\user\AppData\Local\...\QUOTE.exe, PE32 12->26 dropped 58 Obfuscated command line found 12->58 60 Writes to foreign memory regions 12->60 62 Powershell drops PE file 12->62 16 wab.exe 15 8 12->16         started        20 conhost.exe 12->20         started        22 cmd.exe 1 12->22         started        signatures9 process10 dnsIp11 28 lo7.za.com 91.234.99.151, 443, 49713 PIHL-ASRU Netherlands 16->28 30 smtp.gmail.com 172.253.115.109, 49715, 49716, 49717 GOOGLEUS United States 16->30 32 api.ipify.org 172.67.74.152, 443, 49714 CLOUDFLARENETUS United States 16->32 40 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->40 42 Tries to steal Mail credentials (via file / registry access) 16->42 44 Tries to harvest and steal browser information (history, passwords, etc) 16->44 46 2 other signatures 16->46 signatures12
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d21df5305629a7f20a524ef0969ad316678db119dcd6dbfa3732bf5b30ccd282
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d21df5305629a7f20a524ef0969ad316678db119dcd6dbfa3732bf5b30ccd282/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-03-14 04:30:01 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
19 of 24 (79.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2io7kmcwfgt7ecssj3yjngwtczty3miz3tlnx6rxgk7vwmgm2kba._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
614ae605266b9829b5577ebd8562f5fadb2ef82337597d32e54c8ace9f1ea25c
GuLoader
70f27cc87397701a73835625b0ee8caf3ef97b506554f2a7f65c2c08afd264f7
GuLoader
a9e7826e1404e06fb6b073ff5e025313612b5aec22121aba299c72b86749e9bf
GuLoader
c9e1de1c6ddd3ffd9c87ebdbcf9bd5b7064af9f60f650ae50573b05a49af8327
GuLoader
d0b94b855d2f24add1edf6b3a6ecae24e4366f181a1ccd0bcd3b27e94de95bc0
GuLoader
dfa384f6136c43639f6c66766ca81c245e65a70fcf92015656b1cd7a579a3647
GuLoader
e54350487bda76835619ccc44ff79db38db5183f544efbf33159cfd707bcdb75
GuLoader
+ 24 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/240318-qjz53ahf44/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
d21df5305629a7f20a524ef0969ad316678db119dcd6dbfa3732bf5b30ccd282
MD5 hash:
40f2e33203ca34bde4ff393cd29460ea
SHA1 hash:
854f2c562142f487ee80c703b314a4e4e9fd3192
Link:
https://www.unpac.me/results/08d477ef-897d-46d2-a5df-6757ce1b7d4b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d21df5305629a7f20a524ef0969ad316678db119dcd6dbfa3732bf5b30ccd282

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe d21df5305629a7f20a524ef0969ad316678db119dcd6dbfa3732bf5b30ccd282

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::SetFileSecurityW
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments