MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0da94c587aef560c9ff0d315cff1c1e073f8ab71f31b259cb78bb9c2293ece80. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0da94c587aef560c9ff0d315cff1c1e073f8ab71f31b259cb78bb9c2293ece80
SHA3-384 hash: ce4470f7b1f8549f0be3fb0b9c1aa0f8c2f79e2219866f29eaf70233e4c1eb37c2507a917b620ec6bd860fbca60b8fb1
SHA1 hash: b294db2f73f3ab1e80cf0b2f36f25186740c478f
MD5 hash: b07dde80ddc6e6963cf63eb52328df17
humanhash: magazine-queen-ack-california
File name:POSSIBLE P.O.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:65'536 bytes
First seen:2020-10-05 12:10:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c61dfc2eb047721716e40af60f96d375 (1 x GuLoader)
ssdeep 768:AFB6ZlF7UmWDZ/E9PqOZe2VaG2RgsABOFaW:A/6ZT4XDRE9PqJ2VaxRgsuUn
Threatray 2'247 similar samples on MalwareBazaar
TLSH 6E53F57A67C84C61F40CFEB82A1183A01D217C353EE54A8B6CB97B3A1D33B5C5D842A7
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: sipau1-19.nexcess.net
Sending IP: 103.242.92.61
From: DAVID HALE <pranav@sublimeoptics.com>
Reply-To: company_purchases01@mail.com
Subject: Possible PO
Attachment: POSSIBLE P.O.pdf.z (contains "POSSIBLE P.O.exe")

GuLoader payload URL:
https://onedrive.live.com/download?cid=618391B69828CF46&resid=618391B69828CF46%21119&authkey=AKVlvLg6hEL9KyI

Intelligence

File Origin
# of uploads :
1
# of downloads :
165
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68202/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Result
Threat name:
AgentTesla GuLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/481424
Signature
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found malware configuration
Hides threads from debuggers
Installs a global keyboard hook
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Potential malicious icon found
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: RegAsm connects to smtp port
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 293174 Sample: POSSIBLE P.O.exe Startdate: 05/10/2020 Architecture: WINDOWS Score: 100 24 Potential malicious icon found 2->24 26 Found malware configuration 2->26 28 Multi AV Scanner detection for submitted file 2->28 30 8 other signatures 2->30 7 POSSIBLE P.O.exe 2->7         started        process3 signatures4 32 Writes to foreign memory regions 7->32 34 Tries to detect Any.run 7->34 36 Hides threads from debuggers 7->36 10 RegAsm.exe 15 13 7->10         started        14 RegAsm.exe 7->14         started        process5 dnsIp6 18 smtp.yandex.ru 77.88.21.158, 49758, 49759, 587 YANDEXRU Russian Federation 10->18 20 elb097307-934924932.us-east-1.elb.amazonaws.com 23.21.252.4, 443, 49757 AMAZON-AESUS United States 10->20 22 5 other IPs or domains 10->22 38 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 10->38 40 Tries to steal Mail credentials (via file access) 10->40 42 Tries to harvest and steal ftp login credentials 10->42 50 4 other signatures 10->50 16 conhost.exe 10->16         started        44 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->44 46 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 14->46 48 Contains functionality to detect hardware virtualization (CPUID execution measurement) 14->48 52 2 other signatures 14->52 signatures7 process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0da94c587aef560c9ff0d315cff1c1e073f8ab71f31b259cb78bb9c2293ece80/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2020-10-05 09:52:22 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bwuuywd255lazh7q2mk474ob4bz7rk3r6mnslhfxro44ekj6z2aa._file
Verdict:
suspicious
Similar samples:
1289d591984de5325235e57987ab171b4ae3f9d55baf3476087677805922427f
GuLoader
14eb827b600c3f7ccf2af766d0fec868e6b0467eba9264f19b75427f95ef7cfa
GuLoader
3b6460bb14fdce88ab8ec80e5cbfecbb15bbc09de1e75c51246d1c670925b340
GuLoader
50eb8b54c87303301b6614c07195bef8121ab2f99685ced448b915f9e6f0fc15
GuLoader
6964c8791bbf63ce0cf1dac7e62486fd3398d16c72774904fd3a7ca4f3957fff
GuLoader
784d9c10d108190a9e18b3d5756404a3e63fd728abd648225cbbf80c4f78fe76
GuLoader
99d07b0682434235023da65216efdcc624d66c436e80745614315d4c68e8735f
GuLoader
c8e91120db97c2cc33d799fb33cefcb6e199cb68c824500f22ec8fc1736a90b4
GuLoader
d29fa6e0fa83a4332afc39315b3961e609bddc91c1b60590c82b009d20cd9f3a
GuLoader
ecbbdea89347df30a9575353b8886499a88d30f5606f60c922c62e4a56637c74
GuLoader
+ 2'237 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201005-pymyps7lc2/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
0da94c587aef560c9ff0d315cff1c1e073f8ab71f31b259cb78bb9c2293ece80
MD5 hash:
b07dde80ddc6e6963cf63eb52328df17
SHA1 hash:
b294db2f73f3ab1e80cf0b2f36f25186740c478f
Link:
https://www.unpac.me/results/b435b702-936f-4c42-8c88-d21256cdd257/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0da94c587aef560c9ff0d315cff1c1e073f8ab71f31b259cb78bb9c2293ece80

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip 2a31538fdbf79faacc53dbf634a2193c20b4c2a0e6314302c3aa8f719ff391ef

GuLoader

Executable exe 0da94c587aef560c9ff0d315cff1c1e073f8ab71f31b259cb78bb9c2293ece80

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/654588/
  
Dropped by
MD5 b0a2323bd699882c6bc0a413e506dd5c
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 2a31538fdbf79faacc53dbf634a2193c20b4c2a0e6314302c3aa8f719ff391ef
Cape
Cape
https://www.capesandbox.com/analysis/68202/

Comments