MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 08f8f2c8de752da634afbc32510b0a750ee5eacc96a130aacd317bc19ce64de2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 08f8f2c8de752da634afbc32510b0a750ee5eacc96a130aacd317bc19ce64de2
SHA3-384 hash: 0961c5773afd772032ac402cf5506598d0bafb0af97a3d17676260fed45eda27e6a8e6a20070034a6d9c47b7b88d2cc7
SHA1 hash: 94683d9f44b0c299e0c71af7c4ed3ff7881adff0
MD5 hash: 916ea01427a439df36da2258f0b1f5df
humanhash: vegan-december-hydrogen-moon
File name:20210909161956_00023,pdf.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:101'712 bytes
First seen:2021-09-09 06:27:43 UTC
Last seen:2021-09-09 13:42:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 000ed791bfecbc3bb69fb230428c55f9 (8 x GuLoader)
ssdeep 1536:MDb9oF6UPwPjWw/QieHYF+lnlLPrGxDZeM:M6kPdIsIbDGxleM
Threatray 5'461 similar samples on MalwareBazaar
TLSH T172A39E73299A4C82FAB1D1F25B79452D0C22EC9395D9121766D3233C151BBE0FCE2AA7
dhash icon f87ececececece0c (10 x GuLoader)
Reporter GovCERT_CH
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
151
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
20210909161956_00023,pdf.exe
Verdict:
No threats detected
Analysis date:
2021-09-09 06:29:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fb78ae6f-5330-4dbe-b981-04dbe0797f68

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/186501/
Detection(s):
SecuriteInfo.com.__vbaHresultCheckObj.23133.19112.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e93f3072-69e8-4942-89ff-e10e8cf076ca
Result
Threat name:
GuLoader Azorult
Create hunting rule
Detection:
malicious
Classification:
troj.phis.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/847854
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
GuLoader behavior detected
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Self deletion via cmd delete
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected Azorult
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 480285 Sample: 20210909161956_00023,pdf.exe Startdate: 09/09/2021 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 5 other signatures 2->42 8 20210909161956_00023,pdf.exe 1 2->8         started        process3 signatures4 44 Performs DNS queries to domains with low reputation 8->44 46 Self deletion via cmd delete 8->46 48 Tries to detect Any.run 8->48 50 2 other signatures 8->50 11 20210909161956_00023,pdf.exe 67 8->11         started        process5 dnsIp6 30 smdglo.xyz 31.210.20.16, 49837, 49838, 80 PLUSSERVER-ASN1DE Netherlands 11->30 32 googlehosted.l.googleusercontent.com 142.250.201.193, 443, 49836 GOOGLEUS United States 11->32 34 2 other IPs or domains 11->34 22 C:\Users\user\AppData\...\vcruntime140.dll, PE32 11->22 dropped 24 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32 11->24 dropped 26 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 11->26 dropped 28 45 other files (none is malicious) 11->28 dropped 52 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->52 54 Tries to steal Instant Messenger accounts or passwords 11->54 56 Tries to steal Mail credentials (via file access) 11->56 58 7 other signatures 11->58 16 cmd.exe 1 11->16         started        file7 signatures8 process9 process10 18 conhost.exe 16->18         started        20 timeout.exe 1 16->20         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/08f8f2c8de752da634afbc32510b0a750ee5eacc96a130aacd317bc19ce64de2/
Threat name:
Win32.Trojan.VBObfuse
Create hunting rule
Status:
Malicious
First seen:
2021-09-09 05:03:09 UTC
AV detection:
8 of 45 (17.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bd4pfsg6ouw2mnfpxqzfccykouhol2wms2qtbkwngf54dhhgjxra._file
Verdict:
unknown
Similar samples:
47c4518661a80adc00b208c24ba1726bd1074360eec4c2e3d265f6c412f745f9
GuLoader
48a9a59f8f5afdc2bbf18d636f058d32538336577487cdbba99f6b63e367dbb6
GuLoader
5202c86ff05c916da27a70ed912bd5310473d337747f1b38e475fa1e7e6310c4
GuLoader
552db26bdd2347a216bb88e706ebf2bc9a145c8a5d38d082c53dcdd2f344c162
GuLoader
7754406e305f40d2a17def7c7d64ed01e3911f18368e36e64b90af21c48a91c4
GuLoader
81462d560b4bf3660bc4eb2c57b827c7e09dea12f4d590ed05880c3d0fc560cb
GuLoader
8eea0ae9eab289a6827156361ffad7987cebe3429422ba07724fa6921a47b2d0
GuLoader
b923011216d37106f2f497f12097ecd3412caca89edee1a49e8090b94344a310
GuLoader
d6857aa5fd52de7b5f61da1d7556c2aa04ca9040fbd399ab797b927fc06aef12
GuLoader
f473972f1bc6adb86928a21d4a7af08550aec0ca5c17056a95e830142a2e8f11
GuLoader
+ 5'451 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/210909-g8c76affe5/
Behaviour
Suspicious use of SetWindowsHookEx
Guloader,Cloudeye
Unpacked files
SH256 hash:
08f8f2c8de752da634afbc32510b0a750ee5eacc96a130aacd317bc19ce64de2
MD5 hash:
916ea01427a439df36da2258f0b1f5df
SHA1 hash:
94683d9f44b0c299e0c71af7c4ed3ff7881adff0
Link:
https://www.unpac.me/results/d6fba4e5-3750-43db-a34b-9baa5efa3ecd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/08f8f2c8de752da634afbc32510b0a750ee5eacc96a130aacd317bc19ce64de2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 08f8f2c8de752da634afbc32510b0a750ee5eacc96a130aacd317bc19ce64de2

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/186501/

Comments