MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2d7fa1333a5961bda5ebab33039aee56eb4b38ecf03b3d9e72564426c321568. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	b2d7fa1333a5961bda5ebab33039aee56eb4b38ecf03b3d9e72564426c321568
SHA3-384 hash:	4bf14483cdef587e14999e48ced62c2f731a972ebab47f249a482080fc9af390a536b7a083a5c94778c6d4d359e5bb56
SHA1 hash:	e3e70c675b16464b017be631aacbba5e93ffe354
MD5 hash:	3680b56c0c18a7fc020597030b1ded52
humanhash:	nebraska-south-failed-sink
File name:	Shipping Details_PDF.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	57'344 bytes
First seen:	2020-11-03 07:35:59 UTC
Last seen:	2020-11-03 14:20:56 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	7890f146edeaeb8ae782387358143c21 (4 x GuLoader)
ssdeep	384:SBtolSdruVO/N71qjv+bfAap5f1v12Z8JsLVZVYzPCOScSOx082Zfch4eawXcEu:Sv0+ru0pCv7qfrSG0/IYdo0/ga0
Threatray	3'032 similar samples on MalwareBazaar
TLSH	CB434A56B4E594DBEF8746B20B5DC77CC2E37D212910FB03A2543EAE287CA954C0935E
Reporter	cocaman
Tags:	exe GuLoader

Intelligence

File Origin

# of uploads :

3

# of downloads :

219

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/81966/

Detection(s):

SecuriteInfo.com.BehavesLike.Win32.Trojan.qm.26940.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

rans.troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/518898

Signature

Contains functionality to hide a thread from the debugger

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Potential malicious icon found

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b2d7fa1333a5961bda5ebab33039aee56eb4b38ecf03b3d9e72564426c321568/

Threat name:

Win32.Trojan.Vebzenpak

Status:

Malicious

First seen:

2020-11-03 07:37:06 UTC

File Type:

PE (Exe)

Extracted files:

6

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wll7ueztuwlbxws6xkztaono4vxljm4oz4b3hwphevsee3bscvua._file

Verdict:

suspicious

Similar samples:

0282b710d24b3d098017e3231c93e1b46bf8586a6e0cc83ec76f2a1d710c6813

07bea1f0f5a11fdada688ba215ee670c1a77d2f05b0e1125edaee37e66a0819c

0a9055100b10ba145a65334aa2b316bc30722cd75539c6dcca168da6263040a6

26d95099636e212fccb35c4865a6aaee393079698b6c3a6f0a07ef2960a845b0

3f2c710a97bb42579ee2f9956437ff160a68bd787439fbc025ab3d6b46076d34

448379f1a0a59fa0a84180351e48559c9ed7ea6875cdd525782b714a77a2fff9

4acadb0925e9ed9375a93307e5fbee58a8bbefe02a97463bf45e45752a7cfe42

804257e2a2990868ba42413a9e115971317e5a3d80b13ae9526dabd277a49040

a891606327e5e625ddd626a1c63958e6575c2293bcfef7388fb803cef653f931

c38dbdd341beb6f537971c9b0d98083ac08b59517052052b85d9368f85f63936

+ 3'022 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/201103-fzy4bpbcys/

Behaviour

Suspicious use of SetWindowsHookEx

Unpacked files

SH256 hash:

b2d7fa1333a5961bda5ebab33039aee56eb4b38ecf03b3d9e72564426c321568

MD5 hash:

3680b56c0c18a7fc020597030b1ded52

SHA1 hash:

e3e70c675b16464b017be631aacbba5e93ffe354

Link:

https://www.unpac.me/results/e3eb9e0e-9ab1-4ff9-a9dd-cb0bb53e9a41/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b2d7fa1333a5961bda5ebab33039aee56eb4b38ecf03b3d9e72564426c321568

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar 781409bfaa56ba983b5a3a2b4d3a061b73449a7a1b7c45ac98b693f06949dccc

exe b2d7fa1333a5961bda5ebab33039aee56eb4b38ecf03b3d9e72564426c321568

(this sample)

Delivery method

Other

Dropped by

SHA256 781409bfaa56ba983b5a3a2b4d3a061b73449a7a1b7c45ac98b693f06949dccc

Cape

Cape

https://www.capesandbox.com/analysis/81966/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample