MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8eea0ae9eab289a6827156361ffad7987cebe3429422ba07724fa6921a47b2d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8eea0ae9eab289a6827156361ffad7987cebe3429422ba07724fa6921a47b2d0
SHA3-384 hash: 806e061f68856da1ed60d3b166e00b9fd7e852e8167ce31d0b8d4de649d93373e4541c2df51246daf348f5af8bbd6c61
SHA1 hash: b5a79b134d5a9d7ca07944afc7e87c96a26a103f
MD5 hash: ac23a257a837c7fa2d21f5bc02328aba
humanhash: virginia-echo-eleven-early
File name:RFQ_PARTS PRICELIST 110-10007046,pdf.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:101'736 bytes
First seen:2021-09-07 22:16:39 UTC
Last seen:2021-09-08 11:16:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 000ed791bfecbc3bb69fb230428c55f9 (8 x GuLoader)
ssdeep 1536:IDOGHUXp8o4MBuQG+mOG4SZH051BTbxeD8eMQ:ID0XWUYo1GH+5zvxegeMQ
Threatray 2'659 similar samples on MalwareBazaar
TLSH T12DA37BB26DA46C84FE85C6B354B6D6BD4C229E63CDDA160F24C19ABC043BEC07F93542
dhash icon f87ececececece0c (10 x GuLoader)
Reporter GovCERT_CH
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
3
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ_PARTS PRICELIST 110-10007046,pdf.exe
Verdict:
No threats detected
Analysis date:
2021-09-07 22:23:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6fd20cea-6d9e-4886-b062-052f45956801

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/186132/
Detection(s):
Win.Trojan.Filerepmalware-9891402-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/462ed031-13c4-490c-b105-5100ceb23359
Result
Threat name:
GuLoader Azorult
Create hunting rule
Detection:
malicious
Classification:
troj.phis.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/846959
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
GuLoader behavior detected
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Performs DNS queries to domains with low reputation
Self deletion via cmd delete
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected Azorult
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 479390 Sample: RFQ_PARTS PRICELIST 110-100... Startdate: 08/09/2021 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 GuLoader behavior detected 2->40 42 8 other signatures 2->42 8 RFQ_PARTS PRICELIST 110-10007046,pdf.exe 1 2->8         started        process3 signatures4 44 Tries to detect Any.run 8->44 46 Hides threads from debuggers 8->46 11 RFQ_PARTS PRICELIST 110-10007046,pdf.exe 67 8->11         started        process5 dnsIp6 30 smdglo.xyz 31.210.20.16, 49729, 49730, 80 PLUSSERVER-ASN1DE Netherlands 11->30 32 googlehosted.l.googleusercontent.com 142.250.102.132, 443, 49728 GOOGLEUS United States 11->32 34 2 other IPs or domains 11->34 22 C:\Users\user\AppData\...\vcruntime140.dll, PE32 11->22 dropped 24 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32 11->24 dropped 26 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 11->26 dropped 28 45 other files (none is malicious) 11->28 dropped 48 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->48 50 Tries to steal Instant Messenger accounts or passwords 11->50 52 Tries to steal Mail credentials (via file access) 11->52 54 7 other signatures 11->54 16 cmd.exe 1 11->16         started        file7 signatures8 process9 process10 18 conhost.exe 16->18         started        20 timeout.exe 1 16->20         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8eea0ae9eab289a6827156361ffad7987cebe3429422ba07724fa6921a47b2d0/
Threat name:
Win32.Trojan.Phonzy
Create hunting rule
Status:
Malicious
First seen:
2021-09-07 22:17:07 UTC
AV detection:
9 of 45 (20.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r3vav2pkwke2natrky3b76wxtb6oxy2csqrlub3sj6tjegshwlia._file
Verdict:
suspicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
104c501ae9645ce51507f20ce38690bb928cd4ce49fa769022aab6c894f0ca8e
GuLoader
47c4518661a80adc00b208c24ba1726bd1074360eec4c2e3d265f6c412f745f9
GuLoader
48a9a59f8f5afdc2bbf18d636f058d32538336577487cdbba99f6b63e367dbb6
GuLoader
74930326e1b80d4c6107fd1e1e681f096848bdb61e8db08707cdbda38a6d1f73
GuLoader
7754406e305f40d2a17def7c7d64ed01e3911f18368e36e64b90af21c48a91c4
GuLoader
81462d560b4bf3660bc4eb2c57b827c7e09dea12f4d590ed05880c3d0fc560cb
GuLoader
ba0751d8b1ccba23fce33d31e5f8ecf75af336cac86b5ae1d2c4306d53cd148c
GuLoader
ddff09f62985a15537bf510e1b95a0e31b5714a498c050671df0325802a7f3e9
GuLoader
f473972f1bc6adb86928a21d4a7af08550aec0ca5c17056a95e830142a2e8f11
GuLoader
+ 2'649 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/210907-17cpsadch5/
Behaviour
Suspicious use of SetWindowsHookEx
Guloader,Cloudeye
Unpacked files
SH256 hash:
8eea0ae9eab289a6827156361ffad7987cebe3429422ba07724fa6921a47b2d0
MD5 hash:
ac23a257a837c7fa2d21f5bc02328aba
SHA1 hash:
b5a79b134d5a9d7ca07944afc7e87c96a26a103f
Link:
https://www.unpac.me/results/648246c2-8bd0-4497-92e1-151565a2d5a6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/8eea0ae9eab289a6827156361ffad7987cebe3429422ba07724fa6921a47b2d0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 8eea0ae9eab289a6827156361ffad7987cebe3429422ba07724fa6921a47b2d0

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/186132/

Comments