MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d3f274d21027d5681449dfb2573c6ac9510c12592f0eb7f5045f9f951b6dd894. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d3f274d21027d5681449dfb2573c6ac9510c12592f0eb7f5045f9f951b6dd894
SHA3-384 hash: 6ba2425ff7c582812fe43d5dd31acfbb6ef8fca8fb08ab2a0591a60cae59f9f390720f4ecca9d42d9bdc7496debaadc6
SHA1 hash: b92cafe65aade46f354f0378e4e9501b4a54213b
MD5 hash: 610f6fc5320dec40af36cbc02d6b8540
humanhash: august-wisconsin-lake-johnny
File name:HSBC Customer Information.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:221'032 bytes
First seen:2022-03-08 17:17:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:jYa6ZNlC4D1gUyLzuhT8nBbf4SAhvAnRSLptzlu2F:jY5e4S9nR+pt5F
Threatray 9'817 similar samples on MalwareBazaar
TLSH T18424D04036A8D4D7E86A03B159B6D46A69F0FD1C06F8854F62EA7F2BB7B6343140F709
File icon (PE):PE icon
dhash icon f5f3f92da48dedbd (2 x Formbook, 1 x GuLoader)
Reporter abuse_ch
Tags:exe GuLoader HSBC signed

Code Signing Certificate

Organisation:PLEURODISCOUS
Issuer:PLEURODISCOUS
Algorithm:sha256WithRSAEncryption
Valid from:2022-03-08T07:12:03Z
Valid to:2023-03-08T07:12:03Z
Serial number: 00
Intelligence: 325 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Central Blocklist:This certificate is on the Cert Central blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 6126b73539c81a6a5b3bf3f41726bbbbad0c2abda6aabb335bf336c7cdf9d745
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
256
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/248377/
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a file
Launching a process
Creating a process with a hidden window
Creating a window
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/8600/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62279aa0dfdfa8501c7b6ffb/reports/105537ed-05e6-4c91-b25f-7035bdb63612/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/2cfe193e-a44c-4e8d-82f9-5846659a9ca0
Result
Threat name:
AgentTesla GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/952930
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Hides threads from debuggers
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Svchost Process
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 585409 Sample: HSBC Customer Information.exe Startdate: 08/03/2022 Architecture: WINDOWS Score: 100 32 vashstangeneralsupplies.com 2->32 34 mail.antiigaf.net 2->34 36 antiigaf.net 2->36 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 5 other signatures 2->48 8 HSBC Customer Information.exe 2 24 2->8         started        12 explorer.exe 2->12         started        signatures3 process4 file5 24 C:\Users\user\AppData\...\pingsender.exe, PE32 8->24 dropped 26 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 8->26 dropped 28 C:\Users\user\AppData\Local\...\System.dll, PE32 8->28 dropped 30 2 other files (none is malicious) 8->30 dropped 50 Writes to foreign memory regions 8->50 52 Tries to detect Any.run 8->52 54 Hides threads from debuggers 8->54 14 CasPol.exe 19 8->14         started        18 explorer.exe 8->18         started        20 svchost.exe 12->20         started        signatures6 process7 dnsIp8 38 antiigaf.net 192.163.206.80, 26, 49798, 49799 UNIFIEDLAYER-AS-1US United States 14->38 40 vashstangeneralsupplies.com 38.103.241.10, 443, 49761 FHLB-OFUS United States 14->40 56 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->56 58 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->58 60 Tries to steal Mail credentials (via file / registry access) 14->60 62 6 other signatures 14->62 22 conhost.exe 14->22         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d3f274d21027d5681449dfb2573c6ac9510c12592f0eb7f5045f9f951b6dd894/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2022-03-08 07:49:52 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
14 of 27 (51.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2pzhjuqqe7kwqfcj36zfopdkzfiqyeszf4hlp5iel6pzkg3n3cka._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
1fed413e1cf6bf9886f077ac4ebe4c86b566917bf3b0cd806805acbb89b27558
GuLoader
39cd27e2d57db8bfedfc31413679e5c4cb27274a45c0acb98c0ad81905729ca5
GuLoader
67732ae3efbde55f0ea32af1488f1a430943f4402b1f2ce163058f5ec76146de
GuLoader
99f100122f5280ac44bc01f3bb7df9d3bd69681335e5f50d4ddfeca6e8ac3cb1
GuLoader
a319ca95679f9e8a30001a66ec55403a08be8c7398916746baea02c6c6539d02
GuLoader
b57d7de33914f91073e29ac243cc026716b4b4a2ffd3ad9235e407c73fdb4be8
GuLoader
ee23fa71bea1f05017e21b38e7592db6334a0fc4e9e44bb48452b40a4ddf0677
GuLoader
+ 9'807 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:guloader downloader keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220308-vvarrsheg7/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks QEMU agent file
Loads dropped DLL
AgentTesla Payload
AgentTesla
Guloader,Cloudeye
Unpacked files
SH256 hash:
978e6ec991096467ac5b2cfdbbcb661fc76240a2b7f9a5a7a456244c011a1d4d
MD5 hash:
d8d6968356325fd4b2e6771f8e0835ec
SHA1 hash:
d350acb7dda41991b17631fd419fbf98b34b23d2
Link:
https://www.unpac.me/results/264e46a5-f41b-4d0a-bcfe-7aa3d0831ba3/
SH256 hash:
e31a9773b8bc590fe2a27d8a3f034fcac5b90234699221cad99c0c41993cdd88
MD5 hash:
666c5039b9edb5826d4b4481c048427e
SHA1 hash:
262a5a51dbfb7fb23c0f6d979173b4c11566821b
Link:
https://www.unpac.me/results/264e46a5-f41b-4d0a-bcfe-7aa3d0831ba3/
SH256 hash:
1076ca39c449ed1a968021b76ef31f22a5692dfafeea29460e8d970a63c59906
MD5 hash:
675c4948e1efc929edcabfe67148eddd
SHA1 hash:
f5bdd2c4329ed2732ecfe3423c3cc482606eb28e
Link:
https://www.unpac.me/results/264e46a5-f41b-4d0a-bcfe-7aa3d0831ba3/
SH256 hash:
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
MD5 hash:
cff85c549d536f651d4fb8387f1976f2
SHA1 hash:
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
Link:
https://www.unpac.me/results/264e46a5-f41b-4d0a-bcfe-7aa3d0831ba3/
SH256 hash:
18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026
MD5 hash:
68b287f4067ba013e34a1339afdb1ea8
SHA1 hash:
45ad585b3cc8e5a6af7b68f5d8269c97992130b3
Link:
https://www.unpac.me/results/264e46a5-f41b-4d0a-bcfe-7aa3d0831ba3/
SH256 hash:
0b2277d8aaf36e01aca3ae33e227b44bebc541a9c5cef6eb4fef93e96821a6cd
MD5 hash:
b1ba7a8263281244782ca5604876cb2c
SHA1 hash:
b8523dee6d7e74512a05c60cc35c0fddac370252
Link:
https://www.unpac.me/results/264e46a5-f41b-4d0a-bcfe-7aa3d0831ba3/
SH256 hash:
d3f274d21027d5681449dfb2573c6ac9510c12592f0eb7f5045f9f951b6dd894
MD5 hash:
610f6fc5320dec40af36cbc02d6b8540
SHA1 hash:
b92cafe65aade46f354f0378e4e9501b4a54213b
Link:
https://www.unpac.me/results/264e46a5-f41b-4d0a-bcfe-7aa3d0831ba3/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d3f274d21027/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/d3f274d21027d5681449dfb2573c6ac9510c12592f0eb7f5045f9f951b6dd894

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/248377/

Comments