MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d510754209735ed82b7e8606242cd6334945d9be346ea18c81d7c738c6229c27. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d510754209735ed82b7e8606242cd6334945d9be346ea18c81d7c738c6229c27
SHA3-384 hash: d419726ff97f282a4507457f3f0c16e4836c56e87595a7afdccffc52ac2621f7220a0c002e601bba3667d60e747390eb
SHA1 hash: ed2c2660717724609c581759e7e6a57fdd194112
MD5 hash: 3987070350d533a50c5ba86becac0621
humanhash: autumn-east-burger-winner
File name:SecuriteInfo.com.Gen.Variant.Nemesis.10877.15959.27000
Download: download sample
Signature GuLoader
Create hunting rule
File size:133'504 bytes
First seen:2022-09-19 01:44:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (527 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 3072:kca/q6CDF6Lt3uPkbzv/0Qls5gLoDrCI7iAaYyIktfx4Y2nDo:kQ606xNzv/0QlBLurX7raWkr4m
TLSH T178D3F21063B0C5B7E5A50B302576676BFFBAE92428155B0B03617F49BC62382DD6E339
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter SecuriteInfoCom
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
441
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Gen.Variant.Nemesis.10877.15959.27000
Verdict:
Malicious activity
Analysis date:
2022-09-19 01:46:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7d6d5496-7504-415a-bc4e-a1433eb22834

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/311156/
Detection(s):
SecuriteInfo.com.Gen.Variant.Nemesis.10877.15959.27000.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %AppData% subdirectories
Delayed reading of the file
Creating a file in the %temp% subdirectories
Searching for the Windows task manager window
Running batch commands
Creating a process with a hidden window
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/38062/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6327c9a30c8f1d28a1741c58/reports/186cd4a6-de19-41f2-8fbc-85c6ed1c800d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c57987f5-2d86-4911-ba24-195f1fb144ce
Result
Threat name:
AgentTesla, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1072610
Signature
Hides threads from debuggers
Installs a global keyboard hook
Multi AV Scanner detection for submitted file
Obfuscated command line found
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected GuLoader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 705152 Sample: SecuriteInfo.com.Gen.Varian... Startdate: 19/09/2022 Architecture: WINDOWS Score: 100 38 googlehosted.l.googleusercontent.com 2->38 40 drive.google.com 2->40 42 2 other IPs or domains 2->42 50 Snort IDS alert for network traffic 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 Yara detected GuLoader 2->54 56 4 other signatures 2->56 8 SecuriteInfo.com.Gen.Variant.Nemesis.10877.15959.27000.exe 4 92 2->8         started        signatures3 process4 file5 34 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 8->34 dropped 36 C:\Users\user\AppData\Local\...\System.dll, PE32 8->36 dropped 58 Obfuscated command line found 8->58 60 Writes to foreign memory regions 8->60 62 Tries to detect Any.run 8->62 64 Hides threads from debuggers 8->64 12 CasPol.exe 8->12         started        16 CasPol.exe 8->16         started        18 cmd.exe 1 8->18         started        20 243 other processes 8->20 signatures6 process7 dnsIp8 44 api.telegram.org 149.154.167.220, 443, 49776, 49777 TELEGRAMRU United Kingdom 12->44 46 drive.google.com 142.250.186.110, 443, 49774 GOOGLEUS United States 12->46 48 googlehosted.l.googleusercontent.com 172.217.16.129, 443, 49775 GOOGLEUS United States 12->48 66 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->66 68 Tries to steal Mail credentials (via file / registry access) 12->68 70 Tries to harvest and steal ftp login credentials 12->70 76 4 other signatures 12->76 22 conhost.exe 12->22         started        72 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->72 74 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 16->74 24 conhost.exe 18->24         started        26 conhost.exe 20->26         started        28 conhost.exe 20->28         started        30 conhost.exe 20->30         started        32 239 other processes 20->32 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d510754209735ed82b7e8606242cd6334945d9be346ea18c81d7c738c6229c27/
Threat name:
Win32.Trojan.Nemesis
Create hunting rule
Status:
Malicious
First seen:
2022-09-19 00:12:59 UTC
AV detection:
5 of 39 (12.82%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2uihkqqjonpnqk36qydcilgwgneulwn6grxkddeb27dtrrrctqtq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/220919-b6eejsfbdj/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Checks installed software on the system
Loads dropped DLL
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8a636c26-632e-4178-a44d-c1db5e5d8b18
Unpacked files
SH256 hash:
56de9d084c248aa3f4ffef22cd67e8c75440432d11d563fca59ea6aea53a2ec2
MD5 hash:
8bfe27c0b85f80b8440ed10930f3594c
SHA1 hash:
35025bcdfce5de60e8d239d51e3b177a3e7072cc
Link:
https://www.unpac.me/results/dc054aa9-9dd1-4879-8151-1c7dcc6e9320/
SH256 hash:
f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37
MD5 hash:
8b3830b9dbf87f84ddd3b26645fed3a0
SHA1 hash:
223bef1f19e644a610a0877d01eadc9e28299509
Link:
https://www.unpac.me/results/dc054aa9-9dd1-4879-8151-1c7dcc6e9320/
SH256 hash:
f7d98be26c813724c7cb673b53475fe660d3ef4f9930d57a550c91578c660e91
MD5 hash:
723646252e79cbb15c7817360f93a6d2
SHA1 hash:
c9ce61d71b7377456ab49c823fc756336b01f7b5
Link:
https://www.unpac.me/results/dc054aa9-9dd1-4879-8151-1c7dcc6e9320/
SH256 hash:
d510754209735ed82b7e8606242cd6334945d9be346ea18c81d7c738c6229c27
MD5 hash:
3987070350d533a50c5ba86becac0621
SHA1 hash:
ed2c2660717724609c581759e7e6a57fdd194112
Link:
https://www.unpac.me/results/dc054aa9-9dd1-4879-8151-1c7dcc6e9320/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.03
Link:
https://yomi.yoroi.company/submissions/d510754209735ed82b7e8606242cd6334945d9be346ea18c81d7c738c6229c27

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/311156/

Comments