MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 23166e8971c2cfa2ea35aa10e15694a9757ab7584b2ddd648e424d8488e9fe98. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	23166e8971c2cfa2ea35aa10e15694a9757ab7584b2ddd648e424d8488e9fe98
SHA3-384 hash:	96adb8c90cdd48c0252d58c9f4b5624510d99b0d95ab8e27ee9ff5463a0177d9a173365e443dade22e16d5efad164af9
SHA1 hash:	897b3824d32acc5eaeac869d1777e605e6c0bd87
MD5 hash:	9a380ce4dda295e403050736175b5e80
humanhash:	aspen-violet-enemy-alanine
File name:	dogsee.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	40'960 bytes
First seen:	2020-09-30 13:30:22 UTC
Last seen:	2020-09-30 15:03:46 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	24c7f2021b67952b599ea38574c9f95c (6 x GuLoader, 1 x AZORult)
ssdeep	384:qXxe+MpWhidTGupwRl9wdVU8hnT5mJyDQkZXTWH:qXxXMpdzk9wdVU8hnVmJykkZXi
Threatray	1'791 similar samples on MalwareBazaar
TLSH	EC033C5FEDB6A772F6614A3E472287B4012B3C30C6048D4BF96B3E1D6D75A40D8E560B
Reporter	James_inthe_box
Tags:	exe GuLoader

Intelligence

File Origin

# of uploads :

# of downloads :

165

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/67138/

Detection(s):

SecuriteInfo.com.Variant.Midie.75586.20331.524.UNOFFICIAL

Win.Malware.Vbcryptor-9769197-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Unauthorized injection to a recently created process

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Deleting a recently created file

Creating a file in the %temp% subdirectories

Reading critical registry keys

Stealing user critical data

Sending an HTTP POST request to an infection source

Result

Threat name:

Azorult GuLoader Lokibot

Detection:

malicious

Classification:

rans.phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/478389

Signature

Binary contains a suspicious time stamp

Contains functionality to hide a thread from the debugger

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Multi AV Scanner detection for submitted file

Potential malicious icon found

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file access)

Yara detected Azorult

Yara detected GuLoader

Yara detected Lokibot

Yara detected VB6 Downloader Generic

Behaviour

Behavior Graph:

Download SVG

Detection:

guloader

Link:

https://mwdb.cert.pl/sample/23166e8971c2cfa2ea35aa10e15694a9757ab7584b2ddd648e424d8488e9fe98/

Threat name:

Win32.Infostealer.Azorult

Status:

Malicious

First seen:

2020-09-30 13:30:19 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=emlg5clrylh2f2rvviiocvuuvf2xvn2yjmw52zeoijgyjchj72ma._file

Verdict:

malicious

Label(s):

guloader

azorult

GuLoader

14eb827b600c3f7ccf2af766d0fec868e6b0467eba9264f19b75427f95ef7cfa

GuLoader

39097a208fc44653546ca6f01bd6af471c01b045da19c6f54cdf97d03cfc6c77

GuLoader

4100f196d5289b085ea167afbec9aadbb5105bf46e48b5402f583db123878f96

GuLoader

4124b50c54faf6d95a5e8daf01f74d8135ace95fc1886f68537e5c36fee8bab4

GuLoader

5e7c67a0d5053360b4769443d8a068525c53196b52203feec9e7d533e44db169

GuLoader

78a253ee0430aeb4feb92eb0641433d908a8c2c29b0d5919dbb4fa556dec3e46

GuLoader

8ae9a72b45764de26190fe3367f958027e1e0d67a87637ab733fe743a6434667

GuLoader

96806ca7e35fc1840e35d756d2242c494fa734a81d76ceb8586fd10ef6548f39

GuLoader

a7187cba00f1ecf7d0ce8758c9376610eb513869152e7b4bd28e711f6b440053

GuLoader

+ 1'781 additional samples on MalwareBazaar

Result

Malware family:

azorult

Score:

10/10

Tags:

trojan infostealer family:azorult

Link:

https://tria.ge/reports/200930-42tcf3rhw2/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Azorult

Unpacked files

SH256 hash:

23166e8971c2cfa2ea35aa10e15694a9757ab7584b2ddd648e424d8488e9fe98

MD5 hash:

9a380ce4dda295e403050736175b5e80

SHA1 hash:

897b3824d32acc5eaeac869d1777e605e6c0bd87

Link:

https://www.unpac.me/results/0b685de5-a025-488d-8c95-f520a2174c2a/

SH256 hash:

49b04162c412105ab0857de16713724cbf3234a0b6ba51f3a5286312633f20c3

MD5 hash:

1f1b425190b2fb0396ad2d538b1060ba

SHA1 hash:

413f98641d46fdcabfcaf64f29495667de6282ea

Link:

https://www.unpac.me/results/0b685de5-a025-488d-8c95-f520a2174c2a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

DriveBy Activity

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/23166e8971c2cfa2ea35aa10e15694a9757ab7584b2ddd648e424d8488e9fe98

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/67138/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample