MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc7332e86188490e730a72e040963619564ff94a46616c206f4ae9f71e1f836d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	fc7332e86188490e730a72e040963619564ff94a46616c206f4ae9f71e1f836d
SHA3-384 hash:	22afa942a2bdc0e429726fc322da14d77e6b6c68024dfbce61e78e15eeffa73677f435e48266ef92803b71df075b606c
SHA1 hash:	44bc29c4419109023f4c311410a85b3418bf2183
MD5 hash:	e3c1b03a5d108e6a35288b7231ea6726
humanhash:	xray-batman-september-steak
File name:	Orden de compra - P06672_PDF.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	536'644 bytes
First seen:	2023-08-28 14:33:37 UTC
Last seen:	2023-08-28 15:35:02 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	e2a592076b17ef8bfb48b7e03965a3fc (388 x GuLoader, 59 x RemcosRAT, 44 x VIPKeylogger)
ssdeep	12288:OqYRUZ2Ro17RhWFpIyjSz3ly8IQ08J8znex2zEk3kZIlr51obRHz:ORUZ2q1HWFpIuSz1y8IQheznesVrlgHz
Threatray	5'629 similar samples on MalwareBazaar
TLSH	T16AB4224212AACF5BE0175975E8B695F99A349C06CE3F0B1F1750BEF77C70A42CB0A681
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	malwarelabnet
Tags:	AgentTesla exe GuLoader

Intelligence

File Origin

# of uploads :

# of downloads :

294

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Orden de compra - P06672_PDF.exe

Verdict:

Suspicious activity

Analysis date:

2023-08-28 14:41:53 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/5a230589-c2d8-4759-869f-e079faf77f27

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/444946/

Detection(s):

SecuriteInfo.com.Win32.Evo-gen.29938.30964.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a window

Creating a file

Delayed reading of the file

Creating a file in the %temp% subdirectories

Sending a custom TCP request

Gathering data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control lolbin masquerade overlay packed shell32

Link:

https://www.filescan.io/uploads/64ecb05b7444d2eb09f29487/reports/8c73604a-effb-4492-8590-36ae6f82539f/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/fc7332e86188490e730a72e040963619564ff94a46616c206f4ae9f71e1f836d

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/bd650473-f104-45ab-bb94-3e64efb7d51e

Result

Threat name:

GuLoader

Detection:

malicious

Classification:

troj.evad.spyw

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1298794

Signature

Initial sample is a PE file and has a suspicious name

Maps a DLL or memory area into another process

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected GuLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fc7332e86188490e730a72e040963619564ff94a46616c206f4ae9f71e1f836d/

Threat name:

Win32.Trojan.Generic

Status:

Malicious

First seen:

2023-08-28 12:41:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 37 (51.35%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7rztf2dbrbeq44ykolqebfrwdfle76kkizqwyidpjlu7ohq7qnwq._file

Verdict:

malicious

Label(s):

agenttesla

cloudeye

GuLoader

2ee41490283fad1457d4870ff08f65cf2a6fd2ff0632fae5e365170824111f36

GuLoader

42715639c8e8557bba09d97271da711e53773311b354b802bd3136870ca2098c

GuLoader

485b45513f839ff3c972cbd2434273388b87c070c8c6125a8462aeabe2fb96d5

GuLoader

68d7bd6dc7ce2ada6af865682185e9f2c33c897ec3191f0d6127d3654e69b4a1

GuLoader

6a43a145806aa6aeef3f5c73d915281a6ea092e254ffa4fa8c2d14b0133eb603

GuLoader

b14b4179a3ba7ec52b1c8b1eacc7ebb341b62424a3fff50c3c491da3c2b631cd

GuLoader

bd8c4eb8ae0047367c1d20d2132d3a2fe2bdf0d197001ea4ecaa3816d59c84e9

GuLoader

+ 5'619 additional samples on MalwareBazaar

Result

Malware family:

guloader

Score:

10/10

Tags:

family:agenttesla family:guloader downloader keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230828-rxexqabf79/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Drops file in Windows directory

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Checks QEMU agent file

Loads dropped DLL

AgentTesla

Guloader,Cloudeye

Unpacked files

SH256 hash:

982c5fb7ada7d8c9bc3e419d1c35da6f05bc5dd845940c179af3a33d00a36a8b

MD5 hash:

0ff2d70cfdc8095ea99ca2dabbec3cd7

SHA1 hash:

10c51496d37cecd0e8a503a5a9bb2329d9b38116

Link:

https://www.unpac.me/results/b7ddf921-799c-4e8e-8e3d-f501249e683d/

SH256 hash:

fc7332e86188490e730a72e040963619564ff94a46616c206f4ae9f71e1f836d

MD5 hash:

e3c1b03a5d108e6a35288b7231ea6726

SHA1 hash:

44bc29c4419109023f4c311410a85b3418bf2183

Link:

https://www.unpac.me/results/b7ddf921-799c-4e8e-8e3d-f501249e683d/

Malware family:

AgentTesla.v4

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/fc7332e86188/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.79

Link:

https://yomi.yoroi.company/submissions/fc7332e86188490e730a72e040963619564ff94a46616c206f4ae9f71e1f836d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/444946/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample