MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3dd1a3c527b49134a0241485d8df32b7eb625dd68f52bcc6597002956d6b70d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	3dd1a3c527b49134a0241485d8df32b7eb625dd68f52bcc6597002956d6b70d4
SHA3-384 hash:	c0aa3b881f2270ee49a8d37d14eac9b328781cf57177f9c265337914265b81377d627ce346f1463f309111334a021797
SHA1 hash:	add75e8efa2db8f747e3e71718e210edaf8f3e01
MD5 hash:	11662e80e73aa48e5a7dad619bd099f9
humanhash:	romeo-nebraska-orange-burger
File name:	PO#41196.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	282'624 bytes
First seen:	2021-03-09 15:43:46 UTC
Last seen:	2021-03-09 17:45:22 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	7b3e9f865f45a2a4ed08f871e45b10e7 (1 x GuLoader)
ssdeep	3072:9L3LFTDwqSekzifgy8BtC/lTRTzer6iXiiScAVvvn5aWd72s5feJyFkFX:9PFpSlO4HBtC/D26iyPJ/5au72sMjF
Threatray	4'846 similar samples on MalwareBazaar
TLSH	35546E61663A9F41C2CACD3CF10C65A4358DDC2B67E464C2A3B43DBE5EBE9C87E60548
Reporter	abuse_ch
Tags:	exe GuLoader

abuse_ch

Malspam distributing unidentified malware:

HELO: bjcs01.serverproof.net
Sending IP: 180.76.192.144
From: account-sh@fhtextile.com
Subject: Re: Inquiry
Attachment: DNW92432.IMG (contains "PO#41196.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

247

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PO#41196.exe

Verdict:

Suspicious activity

Analysis date:

2021-03-09 17:11:16 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/282bf3a3-b753-4cd3-bb09-cda4d3bc838c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Guloader

Link:

https://www.capesandbox.com/analysis/123295/

Detection(s):

SecuriteInfo.com.Variant.Midie.79838.4392.29855.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla GuLoader

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/633119

Signature

Antivirus / Scanner detection for submitted sample

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Installs a global keyboard hook

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected GuLoader

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

Win32.Trojan.Vebzenpak

Status:

Malicious

First seen:

2021-03-09 02:13:03 UTC

AV detection:

16 of 27 (59.26%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hxi2hrjhwsitjibecsc5rxzsw7vwexowr5jlzrszoabjk3llodka._file

Verdict:

suspicious

GuLoader

1d67c5b17b0115be9c9213910f41e052d520c7f86a5b9373f145f8c5f2ded8e4

GuLoader

463bda53d68b37fa531bc31652d2f76a92c76f3311707fb7a0037b4f3a5445d4

GuLoader

4adf106d80dd2be5d8ea333dcc3a1d06770e4d913b25d05616247f9c66f99484

GuLoader

581bd1167bd9b40944de9a2d8842ed8aa841fdfc69d896c24520873095e0ac03

GuLoader

6dd4cc2127fa0f8b93d7f95ab3bc644d317ec7510de4d92d7a1daa8eaf54cdb6

GuLoader

7ab96517f6852c124c82edf441496b2f005b11a4d1feb92f9cbfa2a2bffd1acb

GuLoader

818a7b0f2761340c423a9feabe5aae7fbf96129316ae4b0a11357cbaed344bbf

GuLoader

bf6ae876108b5fec915d91bd36d3ccd22c8593be29412521c32a4b3f11a757f0

GuLoader

dea51f7f074a8d9b0e30626e11ca4a79de602da24ba64d0222ee1162a5fbb5ba

GuLoader

+ 4'836 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/210309-49e5jm9jfx/

Behaviour

Suspicious use of SetWindowsHookEx

Unpacked files

SH256 hash:

3dd1a3c527b49134a0241485d8df32b7eb625dd68f52bcc6597002956d6b70d4

MD5 hash:

11662e80e73aa48e5a7dad619bd099f9

SHA1 hash:

add75e8efa2db8f747e3e71718e210edaf8f3e01

Link:

https://www.unpac.me/results/e9e3c5fb-74ee-4193-b8d8-f6be703e8da6/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Brontok

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/3dd1a3c527b49134a0241485d8df32b7eb625dd68f52bcc6597002956d6b70d4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

img dbeb449109578f930c74713d77c2ded472c909508757ca761e921a5f10a01acd

GuLoader

exe 3dd1a3c527b49134a0241485d8df32b7eb625dd68f52bcc6597002956d6b70d4

(this sample)

Dropped by

MD5 3e0b52083d6f13c0b4919bd55283421c

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/123295/

Dropped by

SHA256 dbeb449109578f930c74713d77c2ded472c909508757ca761e921a5f10a01acd

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample