MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e24b4518a8d28c76f2fc274dd2dc2cf4c82f734895e13332122a39d101361536. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	e24b4518a8d28c76f2fc274dd2dc2cf4c82f734895e13332122a39d101361536
SHA3-384 hash:	19809f2ec53415a6f494a7767ff38057d41f6bad96fca5fcd6e4449679c1bf719a920bf881d52f0caa6298a0849c4b16
SHA1 hash:	23beb1e65aff0e498463d94ec9e46c791d20c30f
MD5 hash:	400de6051c8472fda10a417389c3122b
humanhash:	lactose-potato-oven-shade
File name:	Ordem de compra 31916.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	451'152 bytes
First seen:	2023-03-02 12:26:50 UTC
Last seen:	2023-03-02 14:29:41 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	e160ef8e55bb9d162da4e266afd9eef3 (140 x GuLoader, 33 x RemcosRAT, 17 x AgentTesla)
ssdeep	6144:67y5gB8tW/icvPQXBYc6Slg3SBg71f3M08rsQ9TWOLRNLUNrHFZTH8pcA/Pf:lCycsYglaOQ1PWxWQbUNrHLopcQ
Threatray	532 similar samples on MalwareBazaar
TLSH	T1EEA4F0CE7B414323C0A556B2C4BF4734972D9FD846728B173395FF29B872382ADA194A
TrID	92.7% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133) 3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 1.1% (.EXE) Win64 Executable (generic) (10523/12/4) 0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	00a8aaaedee0e002 (8 x GuLoader)
Reporter	abuse_ch
Tags:	exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-10-20T23:27:11Z
Valid to:	2025-10-19T23:27:11Z
Serial number:	3d3ca15dc09d3a4dbb5e250c449cbf3720152be7
Thumbprint Algorithm:	SHA256
Thumbprint:	8cceb177cd9b3eb0ee8d3b90a01ccfccd28ec710d316de55856cae0228048244
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

191

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Ordem de compra 31916.exe

Verdict:

Malicious activity

Analysis date:

2023-03-02 12:36:27 UTC

Tags:

installer

Link:

https://app.any.run/tasks/3ab3ef7d-f5de-4753-ad28-b3953a0628fe

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/371164/

Detection(s):

SecuriteInfo.com.FileRepMalware.9637.27080.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Creating a file in the Windows subdirectories

Searching for the window

Creating a file in the %AppData% subdirectories

Creating a file in the %temp% subdirectories

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

guloader overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/6400961b78212a35b6f35d7c/reports/ee439259-dab5-4d19-8f1f-86e356d861fc/overview

Verdict:

Malicious

Labled as:

Downloader/GuLoader

Link:

https://www.hybrid-analysis.com/sample/e24b4518a8d28c76f2fc274dd2dc2cf4c82f734895e13332122a39d101361536

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/63978835-1c88-43e5-8ecf-e5c8e87a349f

Result

Threat name:

AgentTesla, GuLoader

Detection:

malicious

Classification:

troj.evad.spyw

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1185950

Signature

Contains functionality to register a low level keyboard hook

Installs a global keyboard hook

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected GuLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e24b4518a8d28c76f2fc274dd2dc2cf4c82f734895e13332122a39d101361536/

Threat name:

Win32.Trojan.Guloader

Status:

Malicious

First seen:

2023-03-02 12:27:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

15 of 25 (60.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4jfukgfi2kghn4x4e5g5fxbm6tec642isxqtgmqsfi45cajwcu3a._file

Verdict:

unknown

GuLoader

41810fd3481f8d4ccfb45fddc97fef5ccdff10af555a2c1fa239c541d3fd16a3

GuLoader

4d688c6baec0d972c248f7747f18dc385e67a0fb2b1a5deb70f324b16220780d

GuLoader

561c6e890c23970149d70017c414677c85d99d428cd96378c15f8459596957c6

GuLoader

6497164b34c7d536dfac232cde860961278b0802dc83cc217a9eb60bb61fb2a5

GuLoader

93d8270cf8904624572540c924610458e0eb7984afc5c744eeda2e50ad5024c2

GuLoader

c509b66c0755a4e9e7b7ad209f460f7765b6c06954c9c4f88f051c14cdbc1f6b

GuLoader

f231e32a7da0a5dec56bb64c7ddc4c02bec943ae6ff32703a31fd944337df7bc

GuLoader

f3100e1ff79518aafd23f706e705e0c0639c4d76cb42df14a73268ab78aac4e8

GuLoader

+ 522 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/230302-pmrgnach29/

Behaviour

Enumerates physical storage devices

Drops file in Windows directory

Drops file in System32 directory

Loads dropped DLL

Unpacked files

SH256 hash:

484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2

MD5 hash:

960a5c48e25cf2bca332e74e11d825c9

SHA1 hash:

da35c6816ace5daf4c6c1d57b93b09a82ecdc876

Link:

https://www.unpac.me/results/669c085d-97b9-459f-a275-22e8e9470325/

SH256 hash:

e24b4518a8d28c76f2fc274dd2dc2cf4c82f734895e13332122a39d101361536

MD5 hash:

400de6051c8472fda10a417389c3122b

SHA1 hash:

23beb1e65aff0e498463d94ec9e46c791d20c30f

Link:

https://www.unpac.me/results/669c085d-97b9-459f-a275-22e8e9470325/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/e24b4518a8d28c76f2fc274dd2dc2cf4c82f734895e13332122a39d101361536

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/371164/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample