MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a2c2bdab9f7ae76394afc7d00744302299e1939121ca27f026c810f273d9ed0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0a2c2bdab9f7ae76394afc7d00744302299e1939121ca27f026c810f273d9ed0
SHA3-384 hash: 0de46007771f407317b25f46391691b4d3914a7fc41c1c08efc8e456a224d45f5e15377391cda5323ec1aa770ffce096
SHA1 hash: d12b20ab451dcea393f4878765a94cb00a7920f6
MD5 hash: 6edc652dd96c077fc2dfaaa05312d0a7
humanhash: failed-sink-fillet-purple
File name:6edc652dd96c077fc2dfaaa05312d0a7.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:81'920 bytes
First seen:2020-09-09 12:17:27 UTC
Last seen:2020-09-09 13:31:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f8ce4a8ef2bca584cba04f63be14b893 (6 x GuLoader, 1 x AZORult)
ssdeep 768:e6cFQIBjs22w5pA3N72HDOE4t9zrOf4go67O3YgRMYBL/G2knvwdpS+3+7BY68nK:SBWp2jOEGzrE4go67O3ZCaX
Threatray 99 similar samples on MalwareBazaar
TLSH 18836C52F36AD536C30581FE5938E5B400EEBC305866C98BB9447EBE15F66F6812322B
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
GuLoader payload URL:
https://onedrive.live.com/download?cid=4C3F5C65A99DA195&resid=4C3F5C65A99DA195%21150&authkey=AD8TGaPt8VrVnXc

Intelligence

File Origin
# of uploads :
2
# of downloads :
220
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/58116/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.54701.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Deleting a recently created file
Sending an HTTP POST request
Launching the default Windows debugger (dwwin.exe)
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/461990
Signature
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
n/a
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0a2c2bdab9f7ae76394afc7d00744302299e1939121ca27f026c810f273d9ed0/
Threat name:
Win32.Infostealer.PonyStealer
Create hunting rule
Status:
Malicious
First seen:
2020-09-08 01:57:22 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=biwcxwvz66xhmokk7r6qa5cdaiuz4gjzcioke7ycnsaq6jz5t3ia._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
guloader
Create hunting rule
Similar samples:
0aa6ad540cef4f7c3583accdb2d103681f2ebf066928df8760f2b5668fbd58f2
GuLoader
39097a208fc44653546ca6f01bd6af471c01b045da19c6f54cdf97d03cfc6c77
GuLoader
60e4a90b0d8ac89efe92c67bdabc39b364459d7440bd435ad653d667dc57d0ad
GuLoader
7c178f6f73eda5a5e0a4de819f092772ad4cb0ac2f6d996f7b9b072883b04bc0
GuLoader
82cb0039a905337de09b58384a3fb700e278d2ce0372f348a65068ad80d8754d
GuLoader
8ae9a72b45764de26190fe3367f958027e1e0d67a87637ab733fe743a6434667
GuLoader
9ffc0cc7f5b6bfb1e02d404b6d850e2fd72a778a1a2582fc061723f084cc73c2
GuLoader
acd781dfe44f61dafb6b3fc6f648c4833b96872caca16e7d746c914987979dd5
GuLoader
bd91fca56344fa142bbc4d498cc74cdccec0539c53a7a64c81a3e6c419baba0a
GuLoader
e184f318d66c8ea996fd994937e70a67591a5f77a86058244746089ed51819ad
GuLoader
+ 89 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
trojan infostealer family:azorult
Link:
https://tria.ge/reports/200909-p5kg9bjzqj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Azorult
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0a2c2bdab9f7ae76394afc7d00744302299e1939121ca27f026c810f273d9ed0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe 0a2c2bdab9f7ae76394afc7d00744302299e1939121ca27f026c810f273d9ed0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/456071/
  
URLhaus
https://urlhaus.abuse.ch/url/456059/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/58116/

Comments