MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fde5e3f6601ebd9df21a200a7031dcb23907f07985b4f8fc7c1ddff7792ca557. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fde5e3f6601ebd9df21a200a7031dcb23907f07985b4f8fc7c1ddff7792ca557
SHA3-384 hash: 324a1a2f6e88a43dddcd736981e7bc345bde4440b6c2aff3d83be63c1656143ba919db724a276e009c5e24f90115da6b
SHA1 hash: d7b25bfe67319e49c518216d7a27199df0626dcc
MD5 hash: e99af292bc2e6e66b11317b8b3383cfa
humanhash: georgia-victor-mango-video
File name:e99af292bc2e6e66b11317b8b3383cfa.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:263'864 bytes
First seen:2022-02-21 08:10:18 UTC
Last seen:2022-02-21 10:19:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3a6dba6c84409e1cce26d4097ba2cb7b (5 x Smoke Loader, 1 x AgentTesla, 1 x GuLoader)
ssdeep 3072:1Wum2MgKrPEV8DWpr/Batk6qPsvvJMtbeuemIm2M7WTQZM:1fmRgWsZatk5PsvvJMtbPImR7cQZM
TLSH T122446B63B612D535FA6AC5BD1019C68BA1C02C719450472ABFC0BB55E6322EF633BF1B
File icon (PE):PE icon
dhash icon 72c2e0e4ce92f278 (7 x Smoke Loader, 2 x GuLoader, 1 x AgentTesla)
Reporter abuse_ch
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:TAHKHANAKO
Issuer:TAHKHANAKO
Algorithm:sha256WithRSAEncryption
Valid from:2022-02-21T05:14:08Z
Valid to:2023-02-21T05:14:08Z
Serial number: 00
Intelligence: 325 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Central Blocklist:This certificate is on the Cert Central blocklist
Thumbprint Algorithm:SHA256
Thumbprint: ac7846b2c86d8b2138e4cea9e2010a4d70765c26307804727b8dde164c8cbab8
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
282
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/242886/
Detection(s):
SecuriteInfo.com.Variant.Midie.108082.4056.20307.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6213491a875593a3ccf9dc46/reports/e27bd04b-00cc-4836-8672-222f676cf131/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9fcdb0c4-c6a0-499a-96d6-a5e212fa1666
Result
Threat name:
GuLoader AgentTesla SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
evad.bank.troj.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/943066
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if browser processes are running
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to compare user and computer (likely to detect sandboxes)
Creates a thread in another existing process (thread injection)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
GuLoader behavior detected
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Execution of Suspicious File Type Extension
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected SmokeLoader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 575545 Sample: 3sahn6iSSi.exe Startdate: 21/02/2022 Architecture: WINDOWS Score: 100 57 venis.ml 2->57 59 cdn.discordapp.com 2->59 61 api.telegram.org 2->61 85 Multi AV Scanner detection for domain / URL 2->85 87 Found malware configuration 2->87 89 Malicious sample detected (through community Yara rule) 2->89 91 10 other signatures 2->91 10 3sahn6iSSi.exe 1 2->10         started        13 iargdgj 1 2->13         started        signatures3 process4 signatures5 107 Tries to detect Any.run 10->107 109 Hides threads from debuggers 10->109 15 3sahn6iSSi.exe 8 10->15         started        111 Multi AV Scanner detection for dropped file 13->111 20 iargdgj 13->20         started        process6 dnsIp7 69 cdn.discordapp.com 162.159.134.233, 443, 49777, 49778 CLOUDFLARENETUS United States 15->69 51 C:\Users\user\AppData\Local\...\Udklasse4.exe, PE32 15->51 dropped 73 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 15->73 75 Tries to detect Any.run 15->75 77 Maps a DLL or memory area into another process 15->77 22 explorer.exe 3 15->22 injected 27 Udklasse4.exe 1 15->27         started        71 162.159.135.233, 443, 49790, 49791 CLOUDFLARENETUS United States 20->71 79 Hides threads from debuggers 20->79 81 Checks if the current machine is a virtual machine (disk enumeration) 20->81 83 Creates a thread in another existing process (thread injection) 20->83 29 Udklasse4.exe 20->29         started        file8 signatures9 process10 dnsIp11 63 venis.ml 2.57.187.166, 49785, 80 DTLNRU Russian Federation 22->63 65 93.184.220.29, 49757, 49761, 80 EDGECASTUS European Union 22->65 53 C:\Users\user\AppData\Roaming\iargdgj, PE32 22->53 dropped 55 C:\Users\user\...\iargdgj:Zone.Identifier, ASCII 22->55 dropped 93 Benign windows process drops PE files 22->93 95 Injects code into the Windows Explorer (explorer.exe) 22->95 97 Writes to foreign memory regions 22->97 99 Hides that the sample has been downloaded from the Internet (zone.identifier) 22->99 31 explorer.exe 22->31         started        34 explorer.exe 22->34         started        36 explorer.exe 22->36         started        43 4 other processes 22->43 101 Machine Learning detection for dropped file 27->101 38 CasPol.exe 11 27->38         started        103 Tries to detect Any.run 29->103 105 Hides threads from debuggers 29->105 40 CasPol.exe 29->40         started        file12 signatures13 process14 dnsIp15 113 Found evasive API chain (may stop execution after checking mutex) 31->113 115 Checks if browser processes are running 31->115 117 Contains functionality to compare user and computer (likely to detect sandboxes) 31->117 45 WerFault.exe 21 31->45         started        119 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 38->119 121 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 38->121 123 Tries to detect Any.run 38->123 47 conhost.exe 38->47         started        67 api.telegram.org 149.154.167.220, 443, 49797 TELEGRAMRU United Kingdom 40->67 125 Tries to steal Mail credentials (via file / registry access) 40->125 127 Tries to harvest and steal ftp login credentials 40->127 129 Tries to harvest and steal browser information (history, passwords, etc) 40->129 131 Hides threads from debuggers 40->131 49 conhost.exe 40->49         started        signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fde5e3f6601ebd9df21a200a7031dcb23907f07985b4f8fc7c1ddff7792ca557/
Threat name:
Win32.Trojan.Shelsy
Create hunting rule
Status:
Malicious
First seen:
2022-02-21 08:11:11 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/220221-j29znahcep/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Drops file in Windows directory
Guloader,Cloudeye
Unpacked files
SH256 hash:
fde5e3f6601ebd9df21a200a7031dcb23907f07985b4f8fc7c1ddff7792ca557
MD5 hash:
e99af292bc2e6e66b11317b8b3383cfa
SHA1 hash:
d7b25bfe67319e49c518216d7a27199df0626dcc
Link:
https://www.unpac.me/results/d4aa1064-3207-44df-b166-74b381c871b7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/fde5e3f6601ebd9df21a200a7031dcb23907f07985b4f8fc7c1ddff7792ca557

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe fde5e3f6601ebd9df21a200a7031dcb23907f07985b4f8fc7c1ddff7792ca557

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2047524/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2047533/
Cape
Cape
https://www.capesandbox.com/analysis/242886/
  
URLhaus
https://urlhaus.abuse.ch/url/2050643/
  
URLhaus
https://urlhaus.abuse.ch/url/2050644/

Comments