MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4d04151b3ce2fb36f1b941e3fa294cc58d229d72a357c3fb4b9b6a0f2207cda. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e4d04151b3ce2fb36f1b941e3fa294cc58d229d72a357c3fb4b9b6a0f2207cda
SHA3-384 hash: e78ffaee816827e5bf29b7cc721367e91865914dbee81329a331158c2b2162730b6d1991e5a446f0e8b71caa76e789df
SHA1 hash: 92615553a69b48f092356cc141699a2c570f6941
MD5 hash: 71cd362b9b5aeb1634d941554a5e76fa
humanhash: sierra-eight-cola-kansas
File name:PO6547138_20230822.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:371'712 bytes
First seen:2023-08-23 06:40:37 UTC
Last seen:2023-08-23 08:12:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (533 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 6144:kQ606xiR8PcMSWodSbV/rqg8SGS/RiGagklCJwPfQtidynTWUviQIa2EMKedJAiD:fR87odEVzqghZFCPCiUTyKevAe
Threatray 5'525 similar samples on MalwareBazaar
TLSH T150842211A678C87FF2D2067168B167A6DDACED3D71D22B9A0B201E8E7C723C4B58D5C4
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f1c0c68e8c98fc70 (3 x GuLoader, 3 x AgentTesla)
Reporter Anonymous
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2022-11-18T11:13:50Z
Valid to:2025-11-17T11:13:50Z
Serial number: 1baf114458de078e975b43e513241b4093f877f2
Thumbprint Algorithm:SHA256
Thumbprint: ec7d4fc38aa5a6253c3cb6e11ab7d12a5bb7280f2bff6c208163a6085599a2c2
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
345
Origin country :
PL PL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO6547138_20230822.exe
Verdict:
Suspicious activity
Analysis date:
2023-08-23 06:42:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/db48a27b-96c3-4eb0-a420-6cfff8c7239c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/444280/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.29688.10036.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file
Delayed reading of the file
Creating a file in the %temp% subdirectories
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/108351/overview
Behaviour
MalwareBazaar
Gathering data
Verdict:
Malicious
Labled as:
TR/Injector.ifdad
Link:
https://www.hybrid-analysis.com/sample/e4d04151b3ce2fb36f1b941e3fa294cc58d229d72a357c3fb4b9b6a0f2207cda
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/93acdcb1-c493-4e16-8c2d-a372e27da264
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1295673
Signature
Hides that the sample has been downloaded from the Internet (zone.identifier)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect Any.run
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1295673 Sample: PO6547138_20230822.exe Startdate: 23/08/2023 Architecture: WINDOWS Score: 96 28 googlehosted.l.googleusercontent.com 2->28 30 drive.google.com 2->30 32 doc-00-3c-docs.googleusercontent.com 2->32 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected GuLoader 2->48 7 PO6547138_20230822.exe 2 44 2->7         started        11 Myapp.exe 2 2->11         started        13 Myapp.exe 1 2->13         started        signatures3 process4 file5 26 C:\Users\user\AppData\Local\...\System.dll, PE32 7->26 dropped 50 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->50 52 Writes to foreign memory regions 7->52 54 Tries to detect Any.run 7->54 56 Maps a DLL or memory area into another process 7->56 15 CasPol.exe 2 12 7->15         started        58 Tries to detect sandboxes / dynamic malware analysis system (file name check) 11->58 20 conhost.exe 11->20         started        22 conhost.exe 13->22         started        signatures6 process7 dnsIp8 34 googlehosted.l.googleusercontent.com 142.250.185.97, 443, 49953 GOOGLEUS United States 15->34 36 drive.google.com 172.217.16.206, 443, 49952 GOOGLEUS United States 15->36 24 C:\Users\user\AppData\Roaming\...\Myapp.exe, PE32 15->24 dropped 38 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->38 40 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->40 42 Tries to steal Mail credentials (via file / registry access) 15->42 44 3 other signatures 15->44 file9 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e4d04151b3ce2fb36f1b941e3fa294cc58d229d72a357c3fb4b9b6a0f2207cda/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2023-08-23 06:41:08 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
12 of 23 (52.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4tiecuntzyx3g3y3sqpd7iuuzrmnekoxfi2xyp5uxg3kb4raptna._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
cloudeye
Create hunting rule
Similar samples:
4179cbf147e658854400967be76ca120278fe858fa44cc24cefea7578065b2ad
GuLoader
449947dedfa89870f0f4d5dc86edc66c4656a6f94504167bbe4f803cd5c16076
GuLoader
5afc34ba8d87868898a975c8a82a6817739d9ff294fae609b2ca293ac5e478a6
GuLoader
5fcef5ddef0a34f70e1e879e60868a8bec88ccd0071a9895961172f3a9c6601f
GuLoader
6a3bc2efcecdd25c5257e19e630b5785dc9e8ebb259773d40d2fc4c19e377285
GuLoader
84c7973871a6a639c40534f9e3fd7135bd35cd1b0eee937cc849af90c903c4c2
GuLoader
8faf480c1ae966b6f4f2656368ec83dca9ab004811cf330083afc56043735a5b
GuLoader
96fdf5c2a638bb7b2390fc8764534d26027446115f781706aa67d1e83234dcd3
GuLoader
e0a9d1ee5f291098090a028934842e554f4bb482a0100077d909d3005430b2ee
GuLoader
+ 5'515 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230823-hfr2aabg9z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Loads dropped DLL
AgentTesla
Unpacked files
SH256 hash:
c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
MD5 hash:
9625d5b1754bc4ff29281d415d27a0fd
SHA1 hash:
80e85afc5cccd4c0a3775edbb90595a1a59f5ce0
Link:
https://www.unpac.me/results/0402474f-e0ee-455c-9be1-0c2a6d9b866b/
SH256 hash:
e4d04151b3ce2fb36f1b941e3fa294cc58d229d72a357c3fb4b9b6a0f2207cda
MD5 hash:
71cd362b9b5aeb1634d941554a5e76fa
SHA1 hash:
92615553a69b48f092356cc141699a2c570f6941
Link:
https://www.unpac.me/results/0402474f-e0ee-455c-9be1-0c2a6d9b866b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/e4d04151b3ce2fb36f1b941e3fa294cc58d229d72a357c3fb4b9b6a0f2207cda

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/444280/

Comments