MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e024d90a271d4496b50aa2f15d174c5ac3dc3b635573466503d84d95de5b6f79. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	e024d90a271d4496b50aa2f15d174c5ac3dc3b635573466503d84d95de5b6f79
SHA3-384 hash:	8f6419bb219586158229a4f6b9001f91a9778ea7ad56a9aefb5d6998726477c2ca8cef5d8b006b54fd550c6a74c40d77
SHA1 hash:	2ed36e2cc8497053f8af5b816134d749ff8802ba
MD5 hash:	5a7bdae01ed737b873a96c617da2a562
humanhash:	zulu-pizza-fanta-mockingbird
File name:	SecuriteInfo.com.Generic.ML.PUA.3113
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	107'224 bytes
First seen:	2022-09-19 06:45:19 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e160ef8e55bb9d162da4e266afd9eef3 (140 x GuLoader, 33 x RemcosRAT, 17 x AgentTesla)
ssdeep	3072:As+LplNxNXz3lxRXJWfHGsfbYbJSApFxhbO22hVJKNjjUZgv:AsKxNX1APHE4kxFchnKSZC
Threatray	14'417 similar samples on MalwareBazaar
TLSH	T137A3F1D163E264BBE6937D312AB38F36C73BA311102155935710EA6A6D337C39B5B2C2
TrID	92.9% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133) 3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 1.1% (.EXE) Win64 Executable (generic) (10523/12/4) 0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	SecuriteInfoCom
Tags:	exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-05-03T21:26:21Z
Valid to:	2025-05-02T21:26:21Z
Serial number:	-0165ce372a499c1a
Thumbprint Algorithm:	SHA256
Thumbprint:	d4114d5e9cdd5e79c8b2de6c08b0a9720a66711e49a64cfc9bfffa9db80c01ec
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

400

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Generic.ML.PUA.3113

Verdict:

Malicious activity

Analysis date:

2022-09-19 06:47:50 UTC

Tags:

installer

Link:

https://app.any.run/tasks/dd17f739-f595-4ee3-8a80-82ce34b1f904

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/311196/

Detection(s):

SecuriteInfo.com.Generic.ML.PUA.3113.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a window

Creating a file in the %temp% subdirectories

Creating a file in the %AppData% directory

Creating a file in the %AppData% subdirectories

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/6328102f0c8f1d28a174719d/reports/58827e99-2118-46f0-8635-ecc2a4cf0e95/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/a07bb166-931c-49fa-87d0-d7522aafbc85

Result

Threat name:

AgentTesla, GuLoader

Detection:

malicious

Classification:

troj.evad.spyw

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1072726

Signature

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected GuLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e024d90a271d4496b50aa2f15d174c5ac3dc3b635573466503d84d95de5b6f79/

Threat name:

Win32.Trojan.GuLoader

Status:

Malicious

First seen:

2022-09-19 05:41:22 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4asnscrhdvcjnnikulyv2f2mllb5yo3dkvzumzid3bgzlxs3n54q._file

Verdict:

malicious

Label(s):

cloudeye

GuLoader

6619a23606037c409d8a806d59156f73cc1493462da007f59002da7c1a9892e6

GuLoader

6d4d55abaccc1b19903ceb6c96d760327bb9c87a744a8806bfb242d547c9e6e3

GuLoader

7dd92e873c628b396cdddf9fa1d616102db4381b29c6f3b3c6306d0899c5589f

GuLoader

9d38f9ec73984b7fafcead3842ed5fe3920574f5d93cec8b4e4bb7dcd124662b

GuLoader

c017347ca2329b74ae1d8fe7adc174f9812499ef672516e1141123827f640eea

GuLoader

c8b9df067d8ce54ce2c376ad20bd6130dc1f3d4feac573da798e68a202b2ef6f

GuLoader

df06ee14dcd8d18eae4a818033bd9c3a2971adcf7c0fe9a2ee563a95e975286f

GuLoader

ef66ea0bcee19ccd3d2771a170ff218a3e43b27f1b18f24e08685cb4d3fe053a

GuLoader

+ 14'407 additional samples on MalwareBazaar

Result

Malware family:

guloader

Score:

10/10

Tags:

family:agenttesla family:guloader collection discovery downloader keylogger spyware stealer trojan

Link:

https://tria.ge/reports/220919-hjlzfacgc7/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Checks installed software on the system

Checks QEMU agent file

Loads dropped DLL

AgentTesla

Guloader,Cloudeye

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/942b4331-c66e-49d5-b351-0ec05bb6d46d

Unpacked files

SH256 hash:

b5d706f64a94dc364a46c520c6613e6bed940ae669666f86ae559d45c8d810e6

MD5 hash:

5411d24ad94780407bcc5a60d97b9973

SHA1 hash:

419beaace4017e8c3d2767311d5a523b4949c0e8

Link:

https://www.unpac.me/results/fc24c05d-871d-418d-8a50-ebc2546f07df/

SH256 hash:

e024d90a271d4496b50aa2f15d174c5ac3dc3b635573466503d84d95de5b6f79

MD5 hash:

5a7bdae01ed737b873a96c617da2a562

SHA1 hash:

2ed36e2cc8497053f8af5b816134d749ff8802ba

Link:

https://www.unpac.me/results/fc24c05d-871d-418d-8a50-ebc2546f07df/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/e024d90a271d4496b50aa2f15d174c5ac3dc3b635573466503d84d95de5b6f79

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/311196/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample