MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02f41fdda70c06784cceadc52eb976538f65a46ef22f0700f5daa13a9e856587. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 02f41fdda70c06784cceadc52eb976538f65a46ef22f0700f5daa13a9e856587
SHA3-384 hash: 6d7aa5d7ed037f9efb287c887274f93989e44ed4ff9b8cd40d9b56ddfd506058cbc32c34cba04f8fb4f40cf575dc8832
SHA1 hash: 1cc5851528906645f7370ee2ea14720d0c5edcf1
MD5 hash: b363ff34e7528ec9d01d2621dde96bdd
humanhash: triple-hamper-wyoming-fourteen
File name:PO.DOC_DOCX .......exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:90'112 bytes
First seen:2020-08-14 09:52:25 UTC
Last seen:2020-08-14 11:01:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 88b498d6d44bb8ecb8d6a3db2331e54b (2 x GuLoader)
ssdeep 768:VzMokPxK1VxNqrRAwW9V3+QKm+WzIHMhxzGxXFAoWBGTdEZN:lMotaAwaqYeADgpEZN
TLSH 06933A22E98AD932F328C5B55D3419F758BDAC7846064F4B78493F5A36B6F02A4E130B
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: daishintc.com
Sending IP: 37.49.230.52
From: "Sales Manager" <order@daishintc.com>
Reply-To: "Sales Manager "<dhczengs@gmail.com>
Subject: PO
Attachment: PO.DOC_DOCX ......7Z (contains "PO.DOC_DOCX .......exe")

GuLoader payload URL:
https://onedrive.live.com/download?cid=6A851B3D3D1425A8&resid=6A851B3D3D1425A8%21108&authkey=AOnogI-tIVkraj8

Intelligence

File Origin
# of uploads :
2
# of downloads :
230
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/45750/
Detection(s):
SecuriteInfo.com.Variant.Graftor.816111.20828.12259.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Creating a file
DNS request
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Setting a single autorun event
Unauthorized injection to a system process
Result
Threat name:
AgentTesla GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/429286
Signature
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Tries to detect Any.run
Uses an obfuscated file name to hide its real file extension (a lot of spaces)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 267122 Sample: PO.DOC_DOCX             ...... Startdate: 15/08/2020 Architecture: WINDOWS Score: 80 58 Yara detected GuLoader 2->58 60 Yara detected AgentTesla 2->60 62 Uses an obfuscated file name to hide its real file extension (a lot of spaces) 2->62 64 Initial sample is a PE file and has a suspicious name 2->64 7 PO.DOC_DOCX             .......exe 1 2->7         started        10 filename1.exe 1 2->10         started        12 filename1.exe 1 2->12         started        process3 signatures4 66 Writes to foreign memory regions 7->66 68 Tries to detect Any.run 7->68 70 Hides threads from debuggers 7->70 14 RegAsm.exe 1 9 7->14         started        19 RegAsm.exe 8 10->19         started        21 RegAsm.exe 8 12->21         started        process5 dnsIp6 40 yc21sa.db.files.1drv.com 14->40 42 onedrive.live.com 14->42 36 C:\Users\user\subfolder1\filename1.exe, PE32 14->36 dropped 52 Tries to detect Any.run 14->52 54 Hides threads from debuggers 14->54 56 Contains functionality to hide a thread from the debugger 14->56 23 WerFault.exe 23 9 14->23         started        25 conhost.exe 14->25         started        44 yc21sa.db.files.1drv.com 19->44 46 onedrive.live.com 19->46 27 WerFault.exe 10 19->27         started        30 conhost.exe 19->30         started        48 yc21sa.db.files.1drv.com 21->48 50 onedrive.live.com 21->50 32 conhost.exe 21->32         started        34 WerFault.exe 21->34         started        file7 signatures8 process9 dnsIp10 38 192.168.2.1 unknown unknown 27->38
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/02f41fdda70c06784cceadc52eb976538f65a46ef22f0700f5daa13a9e856587/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2020-08-14 09:54:10 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=al2b7xnhbqdhqtgovxcs5olwkohwljdo6ixqoahv3kqtvhufmwdq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer persistence trojan spyware family:agenttesla
Link:
https://tria.ge/reports/200814-ts1td8hnga/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Adds Run key to start application
AgentTesla Payload
ServiceHost packer
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.10
Link:
https://yomi.yoroi.company/submissions/02f41fdda70c06784cceadc52eb976538f65a46ef22f0700f5daa13a9e856587

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

7z 80c91bb5c4376648f1b0eaada7604861ef0c0692c750fadfcae2d1407f7ff166

GuLoader

Executable exe 02f41fdda70c06784cceadc52eb976538f65a46ef22f0700f5daa13a9e856587

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/432988/
  
Dropped by
MD5 c5cfb9447add7d35cc2d016f410cf5b1
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/45750/
  
Dropped by
SHA256 80c91bb5c4376648f1b0eaada7604861ef0c0692c750fadfcae2d1407f7ff166

Comments