MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e12cd78365630b9cb54314ad1b51960a03e18940bd96bfe4a62ddd7f9d135699. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e12cd78365630b9cb54314ad1b51960a03e18940bd96bfe4a62ddd7f9d135699
SHA3-384 hash: 5e8557f1895377abe6e1008f8acb1d694eccc4d5608b092f7ec3764062342bad4558a22c609bbea71c33c23f4b99f73d
SHA1 hash: c3c9949071969071756bbd3b72ad9968f2210102
MD5 hash: 152d9e15eb5ca4b0610c9c98bf4ff094
humanhash: arizona-network-hawaii-item
File name:Pnportd65.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:141'520 bytes
First seen:2022-01-21 01:58:05 UTC
Last seen:2022-01-21 04:10:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (728 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 3072:zbG7N2kDTHUpou5/bsRcsBXI42lz38UzaDzZBk1if/YskPx:zbE/HUJsRcKXF2lzMUz6/kEf/Yskp
Threatray 1'469 similar samples on MalwareBazaar
TLSH T1DAD3F1202760C8B3E5F24AB5AE7A97771FF9F5102760CE971390BD883D71AC14A2E721
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter AndreGironda
Tags:AgentTesla exe GuLoader signed

Code Signing Certificate

Organisation:UNENHANCED
Issuer:UNENHANCED
Algorithm:sha256WithRSAEncryption
Valid from:2022-01-20T19:33:52Z
Valid to:2023-01-20T19:33:52Z
Serial number: 00
Intelligence: 325 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: f64bb1e465d24e498dce0848a84ec436fb1081ae2785c8ffac3f9aa9dce00c62
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
370
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://chyler-leigh.org/k4/Masse.exe
Verdict:
Malicious activity
Analysis date:
2022-01-21 01:12:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5a7358ad-6135-4365-a5c5-e6d61e3fbf1c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan-Downloader.Win32.GuLoader.gen.9020.30164.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a file
Sending a custom TCP request
DNS request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/61ea13310f8c757253d2f3b6/reports/4247f366-4f5f-4272-b340-ed59aefd4d5b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/80b1cff4-e7d4-4082-aa8a-8a2877cd6366
Result
Threat name:
AgentTesla GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/924910
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Hides threads from debuggers
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e12cd78365630b9cb54314ad1b51960a03e18940bd96bfe4a62ddd7f9d135699/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2022-01-21 01:59:11 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Verdict:
suspicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
00caa54a646237cf00f305613cdd9e0e8dd8e4dcd9706bbdfc71e22f6e673683
GuLoader
39cd27e2d57db8bfedfc31413679e5c4cb27274a45c0acb98c0ad81905729ca5
GuLoader
4959de8067a62478d5192edb0c7822484ea3f75c643100b4c73b0165eadd8911
GuLoader
7768da29cc4ef93cb4790f664e139d1d8c2972e22fe8840b6b86c50e15dba347
GuLoader
c5072b4120ac9daa3dc0e000cce9e6d6e3a1ca01fed779e0b43d877a744409cd
GuLoader
c5c0fbca778f53dc085d84ad3f038e4a20bce7add5f07012594194bc3bca522a
GuLoader
fee1019ba9c5d5229717f864c5dc8e1b49150b0c4db83f4a2c9b36d51eb03025
GuLoader
+ 1'459 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/220121-cee3fachh4/
Behaviour
Modifies data under HKEY_USERS
Enumerates physical storage devices
Loads dropped DLL
Sets service image path in registry
Unpacked files
SH256 hash:
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
MD5 hash:
cff85c549d536f651d4fb8387f1976f2
SHA1 hash:
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
Link:
https://www.unpac.me/results/0634b9fd-fb8d-443e-bef0-93432153bf43/
SH256 hash:
e12cd78365630b9cb54314ad1b51960a03e18940bd96bfe4a62ddd7f9d135699
MD5 hash:
152d9e15eb5ca4b0610c9c98bf4ff094
SHA1 hash:
c3c9949071969071756bbd3b72ad9968f2210102
Link:
https://www.unpac.me/results/0634b9fd-fb8d-443e-bef0-93432153bf43/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.18
Link:
https://yomi.yoroi.company/submissions/e12cd78365630b9cb54314ad1b51960a03e18940bd96bfe4a62ddd7f9d135699

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Word file doc ab980575f1abd51f4401c6785345649318444b681eb56880028046936cecc3da

GuLoader

Executable exe e12cd78365630b9cb54314ad1b51960a03e18940bd96bfe4a62ddd7f9d135699

(this sample)

DLL dll 8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

Cape
Cape
https://capesandbox.com/analysis/221321/
  
Dropping
SHA256 8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
  
Dropping
SHA256 9c7cd86de644d67f36634e5b6df6b66d015e00b57914a094cb2341030c9bd8f1
  
Dropping
SHA256 cf7daf882b7643be6a603b6fa957c1a3d286fecd2f862a1acf5674454595d625
  
Dropped by
SHA256 ab980575f1abd51f4401c6785345649318444b681eb56880028046936cecc3da
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1994438/

Comments