MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e5bfe8964d886c8ab3506dd2eb0fef5e7d01393a4dde09c731622650f8fa5dc1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e5bfe8964d886c8ab3506dd2eb0fef5e7d01393a4dde09c731622650f8fa5dc1
SHA3-384 hash: 1be6c54a07e286cc1f184b2cf74e6fe287bfe7b989074e366a1d9fd5d4242b907075296c8845401bb70b75616f95f46c
SHA1 hash: e409ef6bc424f54151de1e8910b38a7f7832d947
MD5 hash: eaff4c73fa819f5fa49ed9abac2420c4
humanhash: april-arkansas-carpet-robin
File name:sall.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:146'578 bytes
First seen:2022-09-27 10:59:11 UTC
Last seen:2022-09-27 12:16:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d4b94e8ee3f620a89d114b9da4b31873 (90 x GuLoader, 18 x njrat, 9 x RemcosRAT)
ssdeep 3072:E1T//IHWyWJADJuaXmrbr0oB5bx9FthodsJCa33Cwfp3g7XneldEsz9xr:6//I2y3dX0rT5bgmCk3fp3Aneld7H
Threatray 843 similar samples on MalwareBazaar
TLSH T10EE3029063E0E8B7DEF29B722DBB7E32CEB99650285096C35321A1453D21783E67F153
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 64f4d4d4ecf4d4d4 (82 x SnakeKeylogger, 34 x AgentTesla, 24 x Formbook)
Reporter Anonymous
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
287
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/313946/
Detection(s):
SecuriteInfo.com.Win32.Trojan-gen.10569.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% subdirectories
Delayed reading of the file
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/39463/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6332d7b40569d591125fb7dc/reports/d7554cfc-d20f-4c81-ab69-88dbb3d7c881/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/57152093-147e-4765-b8c7-f1a581341835
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1078247
Signature
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e5bfe8964d886c8ab3506dd2eb0fef5e7d01393a4dde09c731622650f8fa5dc1/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2022-09-27 11:00:08 UTC
File Type:
PE (Exe)
Extracted files:
24
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4w76rfsnrbwivm2qnxjowd7plz6qcoj2jxpatrzrmitfb6h2lxaq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
275db34b1b3d894ed18fba50f477ca897bb3656682c7d0ef2941bd7c696e9f80
GuLoader
595f2ae803f01eba157b6deff4687380346e15609e43cc05b541b527bb7292eb
GuLoader
5fd8c33a5491be40bb0685430728361feb280f92f318f7f0a327bd63fca86f99
GuLoader
7132f9426f3bbadaedd15c39968640ffc5ad207b3c8f450d642174e2942f09d7
GuLoader
7d99aa5b81da99461aa61d5542cabce7bc5ffedc56cd1c1d9d6e58e242b38802
GuLoader
a18ab93f8c9268841b6cd59842a935651d9267fa2b8f72b2196cf68f7b57df9d
GuLoader
a9acac2bc60cd65b24257dcd59cba1f79a5d8ebe6b68cffef12968038acd2675
GuLoader
e5653285dfebc9a95f3a866693752e3f0e62ae312aaf054249067e22cf5836a5
GuLoader
f46d8267eb7fe636d2c5183100bc97e4a93b3a21c5d15661a3dc49ae891f621d
GuLoader
+ 833 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader discovery downloader
Link:
https://tria.ge/reports/220927-m3zrvsdce9/
Behaviour
Enumerates physical storage devices
Checks installed software on the system
Loads dropped DLL
Guloader,Cloudeye
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a7b6c959-9318-4bc7-8dc8-9beb5cc1c0f0
Unpacked files
SH256 hash:
e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27
MD5 hash:
ee260c45e97b62a5e42f17460d406068
SHA1 hash:
df35f6300a03c4d3d3bd69752574426296b78695
Link:
https://www.unpac.me/results/ccb1dec1-7d0c-4960-bcc2-b51cbf5f0fb8/
SH256 hash:
e5bfe8964d886c8ab3506dd2eb0fef5e7d01393a4dde09c731622650f8fa5dc1
MD5 hash:
eaff4c73fa819f5fa49ed9abac2420c4
SHA1 hash:
e409ef6bc424f54151de1e8910b38a7f7832d947
Link:
https://www.unpac.me/results/ccb1dec1-7d0c-4960-bcc2-b51cbf5f0fb8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/e5bfe8964d886c8ab3506dd2eb0fef5e7d01393a4dde09c731622650f8fa5dc1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/313946/

Comments