MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 545bc37874b09c18f4fcef578eb3f9f3d47673255bbc32bc41986fc4e71f896f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 545bc37874b09c18f4fcef578eb3f9f3d47673255bbc32bc41986fc4e71f896f
SHA3-384 hash: b763e7414aa049eb46cb2a5ed3c6630bee24ddd7088cd990b9b364ee856cdd173017f7a80ca874d1d5d74ec7e26efd22
SHA1 hash: e0166d84f215f22214b3defdcf7a95b9fab08bd1
MD5 hash: 0cf18e4d1314f04aead5d33dfd97af18
humanhash: white-may-nitrogen-juliet
File name:Shipment Invoice.jpg.jpg.jpg.jpg.scr
Download: download sample
Signature GuLoader
Create hunting rule
File size:98'304 bytes
First seen:2020-08-12 14:38:04 UTC
Last seen:2020-08-12 15:56:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 88b498d6d44bb8ecb8d6a3db2331e54b (2 x GuLoader)
ssdeep 1536:/hSgJomMNbP/feZ8BIMa2bpqCTaVR109fNJ:/hkFPneZ9x21fNJ
Threatray 109 similar samples on MalwareBazaar
TLSH 30A33B42D6488571F765C3F01D364DB300BA7C799965AE0BAC9D3A1A3BBBE43D062327
Reporter abuse_ch
Tags:GuLoader scr


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: slot0.ricksaezp.com
Sending IP: 104.168.173.112
From: info@ricksaezp.com
Reply-To: info@ricksaezp.com
Subject: Ready now for the Business
Attachment: Logo_Invoice_Myself_pdf.zip (contains "Shipment Invoice.jpg.jpg.jpg.jpg.scr")

GuLoader payload URL:
https://landzro365groupe.com/wp-content/or4/oriyande40_ipHHXO2.bin

Intelligence

File Origin
# of uploads :
2
# of downloads :
149
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/44197/
Detection(s):
SecuriteInfo.com.Variant.Graftor.814706.8559.12308.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Creating a file
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Setting a single autorun event
Unauthorized injection to a system process
Result
Threat name:
AgentTesla GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/422857
Signature
Contains functionality to hide a thread from the debugger
Creates autostart registry keys with suspicious values (likely registry only malware)
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: RegAsm connects to smtp port
Tries to detect Any.run
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 263873 Sample: Shipment Invoice.jpg.jpg.jp... Startdate: 13/08/2020 Architecture: WINDOWS Score: 100 45 Found malware configuration 2->45 47 Sigma detected: RegAsm connects to smtp port 2->47 49 Yara detected GuLoader 2->49 51 3 other signatures 2->51 7 Shipment Invoice.jpg.jpg.jpg.jpg.exe 1 2->7         started        10 file.scr 1 2->10         started        12 file.scr 1 2->12         started        14 OpenWith.exe 16 6 2->14         started        process3 signatures4 69 Writes to foreign memory regions 7->69 71 Tries to detect Any.run 7->71 73 Hides threads from debuggers 7->73 16 RegAsm.exe 5 14 7->16         started        21 RegAsm.exe 10 10->21         started        23 RegAsm.exe 10->23         started        25 RegAsm.exe 1 12->25         started        75 Installs a global keyboard hook 14->75 process5 dnsIp6 37 smtp.yandex.ru 77.88.21.158, 49731, 49733, 587 YANDEXRU Russian Federation 16->37 39 landzro365groupe.com 192.64.118.122, 443, 49717, 49718 NAMECHEAP-NETUS United States 16->39 41 smtp.yandex.com 16->41 33 C:\Users\user\subfolder1\file.scr, PE32 16->33 dropped 35 C:\Users\user\lists, PE32+ 16->35 dropped 53 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->53 55 Tries to steal Mail credentials (via file access) 16->55 57 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 16->57 67 6 other signatures 16->67 27 conhost.exe 16->27         started        43 smtp.yandex.com 21->43 59 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->59 61 Tries to harvest and steal ftp login credentials 21->61 63 Tries to harvest and steal browser information (history, passwords, etc) 21->63 65 Installs a global keyboard hook 21->65 29 conhost.exe 21->29         started        31 conhost.exe 25->31         started        file7 signatures8 process9
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/545bc37874b09c18f4fcef578eb3f9f3d47673255bbc32bc41986fc4e71f896f/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2020-08-12 14:39:07 UTC
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=krn4g6duwcobr5h455ly5m7z6pkhm4zflo6dfpcbtbx4jzy7rfxq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
1d67a78a85100f6be1da61ddf1b8945d5e3c114a61e8ac505e7a18653633c1d2
GuLoader
5bd7a6647711c5f5c13708afcb275753e5b97044a508a947ce760e57740a568e
GuLoader
5c9b22633bb9c7f20fcd928e0093ac5debd1dabd7f42daa479725b5f2db38e91
GuLoader
72153192845eff78553d2aebfca4f5d1cfba2910c12877c8b5d7dc25aa777408
GuLoader
7e6dc9928e049d75cd726d8542b39cf46afef0cfd37c8dcb968ea618aedbb696
GuLoader
99b9b649c59745f1544c91ffe35dad1e1529c9cb6715325c95ee396bbe3db2ab
GuLoader
a2966a3e5a7753ea245a9e5228cf96d631e15a3777a5b2550724bed0f646784a
GuLoader
da2e87ff6e505f0e64c3804f5355d693d9fd69e71916812f75bcd43b6cd445ec
GuLoader
dc9ab0fc37303739eebdebf61ae10291db28738997267cdaf100f5c03f263c39
GuLoader
e6bdca558fb485e6ac7295d20f868902f2b790bc147fb3ab1e3a6628280d40f3
GuLoader
+ 99 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla persistence
Link:
https://tria.ge/reports/200812-bfjht4pyks/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.10
Link:
https://yomi.yoroi.company/submissions/545bc37874b09c18f4fcef578eb3f9f3d47673255bbc32bc41986fc4e71f896f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip 63d2b3a17ef4677229f044fab8ddb0380a2c1b42d28e793793ae43fae9285f55

GuLoader

Executable exe 545bc37874b09c18f4fcef578eb3f9f3d47673255bbc32bc41986fc4e71f896f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/430485/
  
Dropped by
MD5 df37865d64e847a733d56082dc6ceaf3
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/44197/
  
Dropped by
SHA256 63d2b3a17ef4677229f044fab8ddb0380a2c1b42d28e793793ae43fae9285f55

Comments