MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 27901356eb5538b402d917cbae797df863ec26c24f8d3126d0aa90ddd3cc7707. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 27901356eb5538b402d917cbae797df863ec26c24f8d3126d0aa90ddd3cc7707
SHA3-384 hash: 4224afd3d5bdf435e428a6fae8ec8dd271f2f9693381ac28c015d4787fbb5e908c1913fda09e3df905d639bb86a8b7d7
SHA1 hash: 569f9c9caf3e5000cad21caaecd8a676fa4a5a5a
MD5 hash: 81a4e7b242a1e38a0023dca07d814f84
humanhash: saturn-golf-sad-hamper
File name:PP02267.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:266'240 bytes
First seen:2020-11-07 10:16:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1951a807074703d14a23d80306a01e62 (1 x GuLoader)
ssdeep 6144:HIFAkzL7r9r/EDppppppppppppppppppppppppppppp0G:HSP7r9r/+ppppppppppppppppppppppJ
Threatray 3'059 similar samples on MalwareBazaar
TLSH D6441AB1E5C565A0DD59AB706A36CD354E237DBFAC34941C28DE3EE73BBB2923025012
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail.fpcci.org.pk
Sending IP: 124.29.202.181
From: Karen Domingue <kdomingue@airmax.ca>
Reply-To: Karen Domingue <011teknew@gmail.com>
Subject: New purchase order PP02267
Attachment: PP02267.rar (contains "PP02267.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
196
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Variant.Bulz.176449.20132.5887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/523758
Signature
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/27901356eb5538b402d917cbae797df863ec26c24f8d3126d0aa90ddd3cc7707/
Threat name:
Win32.Infostealer.PonyStealer
Create hunting rule
Status:
Malicious
First seen:
2020-11-06 08:53:40 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e6ibgvxlku4liawzc7f246l57br6yjwcj6gtcjwqvkin3u6mo4dq._file
Verdict:
suspicious
Similar samples:
12b62af6539e46350a256cc22d72b17b2d005507ff7332390da2fc2ebe159bb1
GuLoader
13c555d2bc29bc384b7c496c0aefadfbe38d7b415e11c43bdbcfdf702062d1f3
GuLoader
3c03c5f80df2762d336347192bcb146bd837550b208bab90b0e81d481d7e3506
GuLoader
496686996582107344665c0b6eb4e7c7efe6f56f4d0a5d33e5b635bcb95a5926
GuLoader
775188796115cd4ed9c6a6782ac0e2512c0759616395fc0e6193e63850adb4e0
GuLoader
96e931e07df1c012d0b7d4af91eaf2e57da055de9b8fabc499992470555ada5a
GuLoader
9d545cae8b73e11800aaf794b2919bb8972511e4e217eaf1a51c3f38c17bb412
GuLoader
c61ff47c382b7819f475a74693395a56e30741d2d126d0e7212d1ffc42814d57
GuLoader
c9f5530468fde1d7a198bc7dd5a43c390b234f10649dcdbdc25890c0563d4691
GuLoader
f18e31ee1b4c8d1561cfce6bafa731020f5838566393728d1c0de1cbde333ef6
GuLoader
+ 3'049 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201107-jtt6z8p4aa/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
27901356eb5538b402d917cbae797df863ec26c24f8d3126d0aa90ddd3cc7707
MD5 hash:
81a4e7b242a1e38a0023dca07d814f84
SHA1 hash:
569f9c9caf3e5000cad21caaecd8a676fa4a5a5a
Detections:
win_cannon_auto
Create hunting rule
Link:
https://www.unpac.me/results/bf000fb9-c0ea-438e-8b3e-ccfd438b1937/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_cannon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

rar 8097994185c7443a097e5a3715063561763f1339168f00661f2d3e7da49f05a1

GuLoader

Executable exe 27901356eb5538b402d917cbae797df863ec26c24f8d3126d0aa90ddd3cc7707

(this sample)

  
Dropped by
MD5 93aded39f121ab4bdf9b55fce059088c
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 8097994185c7443a097e5a3715063561763f1339168f00661f2d3e7da49f05a1

Comments