MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48a9a59f8f5afdc2bbf18d636f058d32538336577487cdbba99f6b63e367dbb6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 48a9a59f8f5afdc2bbf18d636f058d32538336577487cdbba99f6b63e367dbb6
SHA3-384 hash: 64a38f35874c18aa4d7b136bead143430c370b751a40b61a06c437ca328bd5fc942ff07cd5d920c5eed58520253088a8
SHA1 hash: e3303e6e2322c450949093c0c636365b97ab5d98
MD5 hash: d44bf08d57d206a3594e5908e57b2822
humanhash: delaware-kilo-don-sweet
File name:RFQ_PARTS PRICELIST 110-10007046,pdf.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:101'696 bytes
First seen:2021-09-07 12:20:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 000ed791bfecbc3bb69fb230428c55f9 (8 x GuLoader)
ssdeep 1536:kDSSiACHR1/LyhWNFMIJEAXOuUj87rwCZtbdELDdeMC:khFEj/LpFMN78jBELpeMC
Threatray 5'450 similar samples on MalwareBazaar
TLSH T105A39DB62AA85C95FFC5C1F7A5B5117E0C027E63D8D8960734D18B3C580BBD2BE9610B
dhash icon f87ececececece0c (10 x GuLoader)
Reporter GovCERT_CH
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ_PARTS PRICELIST 110-10007046,pdf.exe
Verdict:
No threats detected
Analysis date:
2021-09-07 12:21:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7beaaf29-b80b-437a-a536-02b6724c9081

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/186023/
Detection(s):
Win.Trojan.Filerepmalware-9891259-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/022d05a9-e94e-419f-b1e1-8a4f0a5df745
Result
Threat name:
GuLoader Azorult
Create hunting rule
Detection:
malicious
Classification:
troj.evad.phis.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/846586
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
GuLoader behavior detected
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Performs DNS queries to domains with low reputation
Self deletion via cmd delete
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected Azorult
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 479017 Sample: RFQ_PARTS PRICELIST 110-100... Startdate: 07/09/2021 Architecture: WINDOWS Score: 100 31 prda.aadg.msidentity.com 2->31 33 drive.google.com 2->33 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 GuLoader behavior detected 2->45 47 8 other signatures 2->47 9 RFQ_PARTS PRICELIST 110-10007046,pdf.exe 1 2->9         started        signatures3 process4 signatures5 49 Tries to detect Any.run 9->49 51 Hides threads from debuggers 9->51 12 RFQ_PARTS PRICELIST 110-10007046,pdf.exe 67 9->12         started        process6 dnsIp7 35 smdglo.xyz 31.210.20.16, 49736, 49737, 80 PLUSSERVER-ASN1DE Netherlands 12->35 37 drive.google.com 142.250.203.110, 443, 49734 GOOGLEUS United States 12->37 39 2 other IPs or domains 12->39 23 C:\Users\user\AppData\...\vcruntime140.dll, PE32 12->23 dropped 25 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32 12->25 dropped 27 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 12->27 dropped 29 45 other files (none is malicious) 12->29 dropped 53 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->53 55 Tries to steal Instant Messenger accounts or passwords 12->55 57 Tries to steal Mail credentials (via file access) 12->57 59 7 other signatures 12->59 17 cmd.exe 1 12->17         started        file8 signatures9 process10 process11 19 conhost.exe 17->19         started        21 timeout.exe 1 17->21         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/48a9a59f8f5afdc2bbf18d636f058d32538336577487cdbba99f6b63e367dbb6/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-09-07 12:21:04 UTC
AV detection:
13 of 28 (46.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jcu2lh4pll64fo7rrvrw6bmngjjygnsxosd43o5jt5vwhy3h3o3a._file
Verdict:
suspicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
0c8b9ba8bdd9a1d91ba4d61c81480b7337e6189fb0836301d71e90fa6adec8b6
GuLoader
47c4518661a80adc00b208c24ba1726bd1074360eec4c2e3d265f6c412f745f9
GuLoader
55fd5769df0df23d4140a34d07dc2c833b43ac1060f4d0992bdd27316041c69a
GuLoader
73b83d70f24909aea7920a86029b43198979d7e31ab768619371e12fc7399f93
GuLoader
7754406e305f40d2a17def7c7d64ed01e3911f18368e36e64b90af21c48a91c4
GuLoader
81462d560b4bf3660bc4eb2c57b827c7e09dea12f4d590ed05880c3d0fc560cb
GuLoader
ba0751d8b1ccba23fce33d31e5f8ecf75af336cac86b5ae1d2c4306d53cd148c
GuLoader
f473972f1bc6adb86928a21d4a7af08550aec0ca5c17056a95e830142a2e8f11
GuLoader
f5502d660f4b1f1110b7ba4fd0eab36ec5b44ff97c12b146a48ff8e38efa4745
GuLoader
+ 5'440 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/210907-pjbl2afgcl/
Behaviour
Suspicious use of SetWindowsHookEx
Guloader,Cloudeye
Unpacked files
SH256 hash:
48a9a59f8f5afdc2bbf18d636f058d32538336577487cdbba99f6b63e367dbb6
MD5 hash:
d44bf08d57d206a3594e5908e57b2822
SHA1 hash:
e3303e6e2322c450949093c0c636365b97ab5d98
Link:
https://www.unpac.me/results/2bf2474c-5cec-4ab6-b65c-93cb45fd6a7f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/48a9a59f8f5afdc2bbf18d636f058d32538336577487cdbba99f6b63e367dbb6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Embedded_PE
Create hunting rule
Rule name:Embedded_PE
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 48a9a59f8f5afdc2bbf18d636f058d32538336577487cdbba99f6b63e367dbb6

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/186023/

Comments