MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a9055100b10ba145a65334aa2b316bc30722cd75539c6dcca168da6263040a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	0a9055100b10ba145a65334aa2b316bc30722cd75539c6dcca168da6263040a6
SHA3-384 hash:	c8311a8261441e074827cf360c82b8f1432c956a2b0769270e11d6f053ea7ac32d5e76028622e901a148a24f1f031bc0
SHA1 hash:	0d8a45e3ef1bdd54ac0456970180ff06b641583d
MD5 hash:	88bb74f36b0640b2c521ce68d0100e14
humanhash:	jig-yellow-south-april
File name:	cjwe.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	40'960 bytes
First seen:	2020-09-23 13:31:11 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	bd69604fa4fec5a862d5f61adab40afc (2 x GuLoader, 1 x AZORult)
ssdeep	384:QKnmuWbMofPKA6MzHcBODEhN5leQECRA2xH1Wk5flSdnEeQ26OdUk2LQ:QKnmuwPKXMe9z9Ed2TDNteQl4P2L
Threatray	1'628 similar samples on MalwareBazaar
TLSH	A1034B0FB9B86361E1DA98BE4F3687E449577C70E50ACE07F687390C3931602F6C961A
Reporter	James_inthe_box
Tags:	exe GuLoader

Intelligence

File Origin

# of uploads :

# of downloads :

194

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/64856/

Detection(s):

SecuriteInfo.com.Heur.PonyStealer.cm0@QC7uvdpi.20612.14454.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

DNS request

Sending a custom TCP request

Creating a file

Deleting a recently created file

Sending an HTTP POST request

Creating a file in the %temp% subdirectories

Reading critical registry keys

Stealing user critical data

Result

Threat name:

Azorult GuLoader

Detection:

malicious

Classification:

rans.phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/473367

Signature

Binary contains a suspicious time stamp

Contains functionality to hide a thread from the debugger

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Potential malicious icon found

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file access)

Yara detected Azorult

Yara detected GuLoader

Yara detected VB6 Downloader Generic

Behaviour

Behavior Graph:

Download SVG

Detection:

guloader

Link:

https://mwdb.cert.pl/sample/0a9055100b10ba145a65334aa2b316bc30722cd75539c6dcca168da6263040a6/

Threat name:

Win32.Infostealer.PonyStealer

Status:

Malicious

First seen:

2020-09-23 05:32:04 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=bkifkealcc5biwtfgnfkfmywxqyhelgxku44nxgkc2g2mjrqicta._file

Verdict:

malicious

Label(s):

guloader

azorult

GuLoader

0aa6ad540cef4f7c3583accdb2d103681f2ebf066928df8760f2b5668fbd58f2

GuLoader

26d95099636e212fccb35c4865a6aaee393079698b6c3a6f0a07ef2960a845b0

GuLoader

41a9a33741271ed8654135fcc3ece20c710503ad40a6707e84541bf4710641a8

GuLoader

448379f1a0a59fa0a84180351e48559c9ed7ea6875cdd525782b714a77a2fff9

GuLoader

4acadb0925e9ed9375a93307e5fbee58a8bbefe02a97463bf45e45752a7cfe42

GuLoader

4b632e01957edd0717ec241f31b52bee90b2060d1a99e1467c842f0241d68d02

GuLoader

8cd14212205658092f91a376a85fb70802200671ea0cbc74b73f1fcaf0f88ddb

GuLoader

a891606327e5e625ddd626a1c63958e6575c2293bcfef7388fb803cef653f931

GuLoader

e8b09f7077354fc4eac453773e0404cfcb88694939d7604165d0ea768249050d

GuLoader

+ 1'618 additional samples on MalwareBazaar

Result

Malware family:

azorult

Score:

10/10

Tags:

spyware discovery trojan infostealer family:azorult

Link:

https://tria.ge/reports/200923-p2htxxg4tj/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Checks installed software on the system

JavaScript code in executable

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Azorult

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0a9055100b10ba145a65334aa2b316bc30722cd75539c6dcca168da6263040a6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/64856/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample