MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e11a70592490252dab6e6d9ea4d35832ac26d994882807377e79ea00788713b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0e11a70592490252dab6e6d9ea4d35832ac26d994882807377e79ea00788713b
SHA3-384 hash: dcbb91116ad4b1b637b290417018f61f1fb7d17b6927042b1a155ed5227e133c9a35e12df833b9d14852066e44a6a814
SHA1 hash: 2ba515688b053a2e6153b5f21baa379b8b120b5e
MD5 hash: ebc68c72c1d9ddb811c502683d4a72ff
humanhash: early-fanta-charlie-johnny
File name:Maj PO.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:139'264 bytes
First seen:2021-10-14 01:27:34 UTC
Last seen:2021-10-15 07:01:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c727a98e677fb7bd25bb06d2a2d956f1 (11 x GuLoader, 1 x Formbook)
ssdeep 1536:CNUtOVhx7REJQt+k0FthV8xVWkW0CJ4GcZUI4XHzDbHmBIVzXmiMgL0j+NC5DDm/:XgREWt+FbV8xVWhiGHfOj+NC5e
Threatray 5'715 similar samples on MalwareBazaar
TLSH T133D391A162B08FD4E0A79A7F17E543607132BE344952AD47F68CBE1E4E761E4D29032F
File icon (PE):PE icon
dhash icon 1003873d31213f10 (142 x DarkCloud, 132 x GuLoader, 35 x a310Logger)
Reporter GovCERT_CH
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
344
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Maj PO.exe
Verdict:
No threats detected
Analysis date:
2021-10-14 01:30:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c272dd0d-a4c9-4b77-8da6-ff7c04c6cb46

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/197389/
Detection(s):
SecuriteInfo.com.Variant.Razy.964195.13708.3926.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/616787a59fb4d8593d6444ff/reports/2c29c9f1-f022-46e8-b1c8-4d81a03bb429/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eceeb93f-d6d9-43d4-a737-c71fee77f247
Result
Threat name:
AgentTesla GuLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad.spre.adwa.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/870123
Signature
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Modifies the hosts file
Potential malicious icon found
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: RegAsm connects to smtp port
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0e11a70592490252dab6e6d9ea4d35832ac26d994882807377e79ea00788713b/
Threat name:
Win32.Trojan.Razy
Create hunting rule
Status:
Malicious
First seen:
2021-10-14 01:28:05 UTC
AV detection:
16 of 45 (35.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=byi2obmsjebffwvw43m6utjvqmvme3mzjcbia43x46pkab4ioe5q._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
5beaf925ba1c27967e8d8235e53c98cf22a8ad6749cb42e7e7e2222f9e9e40d2
GuLoader
694b6c17b725903cf563928c0e6d0857900dfd1773a2e12c9acc8fd30a2f16ad
GuLoader
6a3131b719f6687d8d51316dc8fd7ec2eb5bda66eca9220f66d0c1b0853d470c
GuLoader
6cbaf335b0737ddf3f782688324856ef573d1978897299461f7a43c8efeaa008
GuLoader
8bd2088df673c9e9ee6227a521bcadce468a7e9e0b6a7f6a462c20fc19a3d4bd
GuLoader
8c6cae9078b175b331c1d6154045deea386850a75e4e2a250fe4f4d920cf1a4a
GuLoader
aadd8812bdbbe483d3635c581c7671d3b73a69cad0ea6f90dbd5617bbb298f14
GuLoader
b2573d8656ea0e2db5643a3aed1b8cbbd6f251cc4cff6c748f842e51b7829969
GuLoader
cbfb37aa80241f13219dd80e61ffe320d10609a9eae2a3796586a10e676e3c39
GuLoader
f2b2f10c3c65d8f81641b20ebbf91ca7da5ba685282b24677a4c5561758f7226
GuLoader
+ 5'705 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/211014-bvn5lsfef8/
Behaviour
Suspicious use of SetWindowsHookEx
Guloader,Cloudeye
Unpacked files
SH256 hash:
0e11a70592490252dab6e6d9ea4d35832ac26d994882807377e79ea00788713b
MD5 hash:
ebc68c72c1d9ddb811c502683d4a72ff
SHA1 hash:
2ba515688b053a2e6153b5f21baa379b8b120b5e
Link:
https://www.unpac.me/results/027860d2-1bb3-4102-9417-41432b5e56dc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
GuLoader
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/0e11a70592490252dab6e6d9ea4d35832ac26d994882807377e79ea00788713b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 0e11a70592490252dab6e6d9ea4d35832ac26d994882807377e79ea00788713b

(this sample)

  
Dropped by
guloader
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/197389/

Comments