MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 684c43f7e479e302f4c19387be2d3b059a93ee2680379fa242b7c064913f43cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	684c43f7e479e302f4c19387be2d3b059a93ee2680379fa242b7c064913f43cf
SHA3-384 hash:	38047afab077f1b534e9579b849a26ff35af154d783fe8cbda1a0f1cd3efa5bfb27edf402e66061dd9e8621028199fdd
SHA1 hash:	5a7ed0e404dae382b8bd0d532a2d74e69d2fc661
MD5 hash:	2d37fbb73af959d02fbf004f2e633df8
humanhash:	vermont-mirror-football-kitten
File name:	cjcry.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	45'056 bytes
First seen:	2020-09-21 15:01:54 UTC
Last seen:	2020-09-21 15:42:34 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	df5b62a3567f2fb9079d505df45c52ce (4 x AZORult, 3 x GuLoader)
ssdeep	768:KXo+/pwBaFGZybD57VXFM7kD/5OLhAjVs:MWEQy3bXFMcq
Threatray	1'645 similar samples on MalwareBazaar
TLSH	2A133B1F91B8A736E62886BE5A244F78005BFDB4C4018D0BE64B3E2E1F36E01D6D475B
Reporter	James_inthe_box
Tags:	exe GuLoader

Intelligence

File Origin

# of uploads :

# of downloads :

182

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Detection(s):

SecuriteInfo.com.Variant.Razy.755503.25045.4996.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Unauthorized injection to a recently created process

DNS request

Sending a custom TCP request

Creating a file

Deleting a recently created file

Sending an HTTP POST request

Creating a file in the %temp% subdirectories

Reading critical registry keys

Stealing user critical data

Result

Threat name:

Azorult GuLoader

Detection:

malicious

Classification:

rans.phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/471384

Signature

Antivirus / Scanner detection for submitted sample

Binary contains a suspicious time stamp

Contains functionality to hide a thread from the debugger

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Multi AV Scanner detection for submitted file

Potential malicious icon found

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file access)

Yara detected Azorult

Yara detected GuLoader

Yara detected VB6 Downloader Generic

Behaviour

Behavior Graph:

Download SVG

Detection:

guloader

Link:

https://mwdb.cert.pl/sample/684c43f7e479e302f4c19387be2d3b059a93ee2680379fa242b7c064913f43cf/

Threat name:

Win32.Infostealer.PonyStealer

Status:

Malicious

First seen:

2020-09-21 02:24:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=nbgeh57ephrqf5gbsod34lj3awnjh3rgqa3z7iscw7agjej7iphq._file

Verdict:

malicious

Label(s):

guloader

azorult

GuLoader

2c80924676beb57ffb753a576380eed1ec48e265a7843a52b08664463d890b61

GuLoader

4320e2bf2bc6115ae79a52777bdd9aef62db691a756640f9c7fa6e8372e46193

GuLoader

6964c8791bbf63ce0cf1dac7e62486fd3398d16c72774904fd3a7ca4f3957fff

GuLoader

9a36fc89381b4c1f3f368fc7ce1beb6ef3c7f1a31bc486e37a43fb5d4f62f5d9

GuLoader

abfd516f0c6cbc380eaefd3da726160b16755fb00c38cafcaa02db61b7208ba7

GuLoader

acd781dfe44f61dafb6b3fc6f648c4833b96872caca16e7d746c914987979dd5

GuLoader

bd91fca56344fa142bbc4d498cc74cdccec0539c53a7a64c81a3e6c419baba0a

GuLoader

d3b837c6df7e17d6f6ff9c20066fa5b0064408935d62bacdd4c9b5791002b941

GuLoader

e184f318d66c8ea996fd994937e70a67591a5f77a86058244746089ed51819ad

GuLoader

+ 1'635 additional samples on MalwareBazaar

Result

Malware family:

azorult

Score:

10/10

Tags:

discovery trojan infostealer family:azorult spyware

Link:

https://tria.ge/reports/200921-hg5kpvh8t6/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Checks installed software on the system

JavaScript code in executable

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Azorult

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/684c43f7e479e302f4c19387be2d3b059a93ee2680379fa242b7c064913f43cf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/135/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample