MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a2a95abdc357f8ebb4ad5ac4017cca21882d67431e7afc49dd268182c8214506. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	a2a95abdc357f8ebb4ad5ac4017cca21882d67431e7afc49dd268182c8214506
SHA3-384 hash:	8fed3b3925dc8a7b6146af32513ba67098054defe9d4278768d5fce6321001611e3c118471f43f121c75b3efe2f9bbbd
SHA1 hash:	5d98aa97144ef231159ebdc302a120ec62ad4e35
MD5 hash:	1ebc87afa8fcc795a14685a0b42e6c26
humanhash:	johnny-bakerloo-friend-gee
File name:	okoyasee.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	40'960 bytes
First seen:	2020-09-30 13:33:45 UTC
Last seen:	2020-09-30 15:04:03 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	24c7f2021b67952b599ea38574c9f95c (6 x GuLoader, 1 x AZORult)
ssdeep	768:YXeayyWs056gZdiNF55HWUlLvapGyVPp:XxyWTsgZdit52UlTQVx
Threatray	2'076 similar samples on MalwareBazaar
TLSH	F203191FE1785B71DA199FBD1A2296B402073CB0DA059E6FE54B392D0D32FD4F8E121A
Reporter	James_inthe_box
Tags:	exe GuLoader

Intelligence

File Origin

# of uploads :

# of downloads :

161

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/67140/

Detection(s):

SecuriteInfo.com.Variant.Midie.75586.3298.23312.UNOFFICIAL

Win.Malware.Vbcryptor-9769197-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

DNS request

Sending a custom TCP request

Creating a file

Deleting a recently created file

Creating a file in the %temp% subdirectories

Reading critical registry keys

Stealing user critical data

Result

Threat name:

GuLoader

Detection:

malicious

Classification:

rans.phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/478393

Signature

Antivirus / Scanner detection for submitted sample

Binary contains a suspicious time stamp

Contains functionality to hide a thread from the debugger

Hides threads from debuggers

Multi AV Scanner detection for submitted file

Potential malicious icon found

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file access)

Yara detected GuLoader

Yara detected VB6 Downloader Generic

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a2a95abdc357f8ebb4ad5ac4017cca21882d67431e7afc49dd268182c8214506/

Threat name:

Win32.Infostealer.PonyStealer

Status:

Malicious

First seen:

2020-09-30 10:53:28 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ukuvvpodk74oxnfnllcac7gkegec2z2ddz5pyso5e2ayfsbbiuda._file

Verdict:

malicious

Label(s):

guloader

GuLoader

253b92053e006314eb4999d0c399fea214273978dd0cd4ff012335116fe9d6fa

GuLoader

4515c333f7395af0cbe0c374d8f51cabf9566006860500ed0f223eff497e76d4

GuLoader

79b3d9bfe6c97a51d65ff4b458b82c1afa8bff5f7a273f2248e37dffe0cdc89a

GuLoader

967840dc51b335c1d106b347d2320a63d30d3ef2836eceff1be77bc36c7ef371

GuLoader

aebcacef83bf139cf1f922a1c8687449286d661908b9ffbdd7e51866ebde4409

GuLoader

b1870a333468762962079f0f81ecd22f7e40e53c504dd031e999761f267bc347

GuLoader

cbd23ab3964e6425f0068a39d6f15dd86708c1bd091912e9229c1840e75ec70d

GuLoader

e261dff0d343917a991d8a85c2cc852008b3a9ab5a7ea0e088b2b54a83c9147d

GuLoader

e8ce2fc9936957e5562804f9e72a2e0f96b680605947ab9ea9c881548aafd6df

GuLoader

+ 2'066 additional samples on MalwareBazaar

Result

Malware family:

azorult

Score:

10/10

Tags:

trojan infostealer family:azorult spyware discovery

Link:

https://tria.ge/reports/200930-95vz7bx37j/

Behaviour

Modifies system certificate store

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Checks installed software on the system

JavaScript code in executable

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Azorult

Unpacked files

SH256 hash:

a2a95abdc357f8ebb4ad5ac4017cca21882d67431e7afc49dd268182c8214506

MD5 hash:

1ebc87afa8fcc795a14685a0b42e6c26

SHA1 hash:

5d98aa97144ef231159ebdc302a120ec62ad4e35

Link:

https://www.unpac.me/results/08c1bccf-47c8-46e7-9018-fa2c1d4aec00/

SH256 hash:

49b04162c412105ab0857de16713724cbf3234a0b6ba51f3a5286312633f20c3

MD5 hash:

1f1b425190b2fb0396ad2d538b1060ba

SHA1 hash:

413f98641d46fdcabfcaf64f29495667de6282ea

Link:

https://www.unpac.me/results/08c1bccf-47c8-46e7-9018-fa2c1d4aec00/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a2a95abdc357f8ebb4ad5ac4017cca21882d67431e7afc49dd268182c8214506

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/67140/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample