MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 121ae52814e12a816b25602c6db7ae2a86af12b1b11e9c06874b9b03c3c81e98. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 121ae52814e12a816b25602c6db7ae2a86af12b1b11e9c06874b9b03c3c81e98
SHA3-384 hash: 99aabe62d46dcf69598fc03073d0ced5892a27d1ec4a2a9726e3ca1e42ed6364c5ec72b6fbcc58d0f9b92b860c007a02
SHA1 hash: 8fa1e05808131443df9e6db6dd67dd7bb19db9e9
MD5 hash: 9a04058ddb610502c86c0bfa96573813
humanhash: nine-helium-salami-tango
File name:specification and details for PO.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:86'016 bytes
First seen:2020-08-05 07:56:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ef06b2733a146acf29e142c8265be40e (2 x GuLoader)
ssdeep 768:1a0dWUFYr8N/sYVlUkuZw4vkBs8JJhH1b8ozzxVfDk/Cki0weia:1HdJsWTuZDvkmUHtbaakjwei
Threatray 156 similar samples on MalwareBazaar
TLSH 29833917A188A632F384C2B56B3512F3523FBC30459A8F07F9583F263A76E05E9A0317
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: cpsc.hk
Sending IP: 156.96.44.186
From: Nkay<nkay@cpsc.hk>
Reply-To: bquinnlin@gmail.com
Subject: CFO CSPC Holdings Ltd Order Post Rev
Attachment: specification and details for PO.zip (contains "specification and details for PO.exe")

GuLoader payload URL:
http://anakleather.ir/henryyy_rpmyokHmtf43.bin

Intelligence

File Origin
# of uploads :
1
# of downloads :
132
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/39135/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/410445
Signature
Contains functionality to hide a thread from the debugger
Drops executable to a common third party application directory
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Installs a global keyboard hook
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: RegAsm connects to smtp port
Tries to detect Any.run
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 257472 Sample: specification and details f... Startdate: 05/08/2020 Architecture: WINDOWS Score: 100 41 Found malware configuration 2->41 43 Sigma detected: RegAsm connects to smtp port 2->43 45 Yara detected AgentTesla 2->45 47 Tries to detect virtualization through RDTSC time measurements 2->47 7 specification and details for PO.exe 1 2->7         started        10 firefox.exe 4 2->10         started        12 firefox.exe 3 2->12         started        process3 signatures4 49 Writes to foreign memory regions 7->49 51 Tries to detect Any.run 7->51 53 Hides threads from debuggers 7->53 14 RegAsm.exe 2 13 7->14         started        19 conhost.exe 10->19         started        21 conhost.exe 12->21         started        process5 dnsIp6 27 smtp.pharmecy.info 14->27 29 anakleather.ir 185.55.224.88, 49737, 49738, 80 SERVERPARSIR Iran (ISLAMIC Republic Of) 14->29 31 2 other IPs or domains 14->31 25 C:\Users\user\AppData\Roaming\...\firefox.exe, PE32 14->25 dropped 33 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->33 35 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->35 37 Tries to steal Mail credentials (via file access) 14->37 39 10 other signatures 14->39 23 conhost.exe 14->23         started        file7 signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/121ae52814e12a816b25602c6db7ae2a86af12b1b11e9c06874b9b03c3c81e98/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-08-05 01:06:21 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cinokkau4evic2zfmawg3n5ofkdk6evrwepjybuhjonqhq6id2ma._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
0e5007396123f9b1a018685b7cf2e42cc508b58ab216df305808f65408f21388
GuLoader
1cd2e3b696656354859e0ffdb5bca866fadf42f59c9e2da1c228e0b52fa5f368
GuLoader
5b8bcca6874eb87a0653adc3137d69a11c33c64a0087ad63646f39111ac2e62c
GuLoader
717ab569e1a4743ce73546e57a7a1f875425747672b5f2d6fce34af35ab8c16f
GuLoader
77168234eb706333e4835666a00a8fd8e110959660c97e5c5528ed3a3d0f5081
GuLoader
8d88c99ff33ecbed42e4185b925f890a616aa0307a559d61595ab67dae6a1a09
GuLoader
ab8e874a1010d724e8008b46a262fdddcd8847c5bd5e43a62abe6e48ae324f71
GuLoader
b022be4adc35569368e23da7b344c4f9a4ce9efffaf1013d1fc778cb2b58f67f
GuLoader
e8b09f7077354fc4eac453773e0404cfcb88694939d7604165d0ea768249050d
GuLoader
f345455cae0e8e49f4c68468a461dd2cf63384268e86a5eb78c4b5119c7038f2
GuLoader
+ 146 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/200805-sbvz9q6ana/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of SetWindowsHookEx
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/121ae52814e12a816b25602c6db7ae2a86af12b1b11e9c06874b9b03c3c81e98

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip 1872d9b0762a529a8fef7f22f8774291e460cc4f1f881b6d913c1e92f26abf72

GuLoader

Executable exe 121ae52814e12a816b25602c6db7ae2a86af12b1b11e9c06874b9b03c3c81e98

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/424598/
  
Dropped by
MD5 e51778fd560e8077ed86a94a8cd3f964
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/39135/
  
Dropped by
SHA256 1872d9b0762a529a8fef7f22f8774291e460cc4f1f881b6d913c1e92f26abf72

Comments