MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e8c869ce645ed191a49065b3b51790b0d502f7045e9040aefdef98d697e47caf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e8c869ce645ed191a49065b3b51790b0d502f7045e9040aefdef98d697e47caf
SHA3-384 hash: eed95477ca98221283e516ea43fef97082cca3c9a75d24c5c27855ba5b2558171fc800e88054008218d2f3fa9f753c11
SHA1 hash: 845f6a0e07ce97aecfbe64f63d187301a9eb9f7d
MD5 hash: 8c0099e1cdfb84e6a6f1463424524237
humanhash: yellow-hydrogen-alpha-yankee
File name:Banco SWIFT.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:574'488 bytes
First seen:2023-12-14 14:50:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5f0c714c36e6cc016b3a1f4bc86559e4 (199 x GuLoader, 14 x Formbook, 4 x AgentTesla)
ssdeep 12288:smdMX/3hCYkC+zBtyV4GXf35wn3dXyxhpU1NommVi81nLxWknixRT2j:smducRz3Erf356XyTpUAHi81LxWej
TLSH T113C4230D2BE588A7ED834E704F7DB6E46A78DD2530739617AB849ADC3B0A5D33B14603
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter James_inthe_box
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:Mikadoers
Issuer:Mikadoers
Algorithm:sha256WithRSAEncryption
Valid from:2023-06-16T07:04:40Z
Valid to:2026-06-15T07:04:40Z
Serial number: 2ec3f4c9e3aa1f1db185e74435905c702125f4a1
Thumbprint Algorithm:SHA256
Thumbprint: f95bff1cc3cab6d793738adae49698d509a516532734832292b64f0804bf2d11
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
337
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/467484/
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.31353.3681.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Searching for the window
Launching a process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/657b165beba10803148ada46/reports/b97a483b-332f-4449-b5a8-ff7559e7165d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e8c869ce645ed191a49065b3b51790b0d502f7045e9040aefdef98d697e47caf
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0f58f444-bc46-4436-872b-aabd63e2555d
Result
Threat name:
AgentTesla, GuLoader
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1362201
Signature
Antivirus detection for URL or domain
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Obfuscated command line found
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: MSBuild connects to smtp port
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1362201 Sample: Banco_SWIFT.exe Startdate: 14/12/2023 Architecture: WINDOWS Score: 100 27 server1.sqsendy.shop 2->27 29 schleswig-flensburg.freifunk.net 2->29 31 3 other IPs or domains 2->31 43 Multi AV Scanner detection for domain / URL 2->43 45 Found malware configuration 2->45 47 Antivirus detection for URL or domain 2->47 49 5 other signatures 2->49 9 Banco_SWIFT.exe 1 23 2->9         started        signatures3 process4 file5 25 C:\Users\user\AppData\Roaming\...\Rimelig.Com, ASCII 9->25 dropped 59 Suspicious powershell command line found 9->59 13 powershell.exe 12 9->13         started        signatures6 process7 signatures8 61 Suspicious powershell command line found 13->61 63 Obfuscated command line found 13->63 65 Very long command line found 13->65 67 Found suspicious powershell code related to unpacking or dynamic code loading 13->67 16 powershell.exe 14 13->16         started        19 conhost.exe 13->19         started        process9 signatures10 39 Writes to foreign memory regions 16->39 41 Maps a DLL or memory area into another process 16->41 21 MSBuild.exe 15 8 16->21         started        process11 dnsIp12 33 server1.sqsendy.shop 63.250.35.178, 49739, 49740, 587 NAMECHEAP-NETUS United States 21->33 35 api4.ipify.org 64.185.227.156, 443, 49737 WEBNXUS United States 21->35 37 2 other IPs or domains 21->37 51 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->51 53 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->53 55 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 21->55 57 4 other signatures 21->57 signatures13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e8c869ce645ed191a49065b3b51790b0d502f7045e9040aefdef98d697e47caf
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e8c869ce645ed191a49065b3b51790b0d502f7045e9040aefdef98d697e47caf/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Suspicious
First seen:
2023-12-14 12:51:14 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
13 of 23 (56.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5degtttel3izdjeqmwz3kf4qwdkqf5yel2ieblx556mnnf7epsxq._file
Verdict:
malicious
Label(s):
agenttesla_v4
Create hunting rule
agenttesla
Create hunting rule
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/231214-r75wwsfhe2/
Unpacked files
SH256 hash:
e8c869ce645ed191a49065b3b51790b0d502f7045e9040aefdef98d697e47caf
MD5 hash:
8c0099e1cdfb84e6a6f1463424524237
SHA1 hash:
845f6a0e07ce97aecfbe64f63d187301a9eb9f7d
Link:
https://www.unpac.me/results/d9299640-0959-4190-a88d-aef6b4c5eb5d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e8c869ce645e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e8c869ce645ed191a49065b3b51790b0d502f7045e9040aefdef98d697e47caf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/467484/

Comments