MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd91fca56344fa142bbc4d498cc74cdccec0539c53a7a64c81a3e6c419baba0a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bd91fca56344fa142bbc4d498cc74cdccec0539c53a7a64c81a3e6c419baba0a
SHA3-384 hash: 02cf0f26ce24edbe8bf81c7b0aba410e828ffef8912f35967228521a1b6cdf785a9e6c17a84d7098462a2e761b07baac
SHA1 hash: cdc815f5fada29589c2c2e7b28f94a8389b3c752
MD5 hash: c81aa84184c65eb076884a70ab78e9c0
humanhash: romeo-fix-three-beer
File name:c81aa84184c65eb076884a70ab78e9c0.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:81'920 bytes
First seen:2020-09-09 12:16:38 UTC
Last seen:2020-09-09 13:31:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f8ce4a8ef2bca584cba04f63be14b893 (6 x GuLoader, 1 x AZORult)
ssdeep 768:hKYLTvXiwG3Od5Ww5dAFA1fuWLfuTz/IdfuDS+F9JIFzEQlAl6qjWHzOn09TvXH:JS73OdQ9A1fuamz/IdfuTF4ol2J
Threatray 32 similar samples on MalwareBazaar
TLSH B7834C42F2579179C31481FE1978A5B800FEBC3018A6CA4BBA447EFE29F16F5953721B
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
GuLoader payload URL:
https://onedrive.live.com/download?cid=4C3F5C65A99DA195&resid=4C3F5C65A99DA195%21146&authkey=APi3U251Vt0j1mM

Intelligence

File Origin
# of uploads :
2
# of downloads :
214
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/58114/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.54701.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
DNS request
Sending a custom TCP request
Creating a file
Deleting a recently created file
Sending an HTTP POST request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Stealing user critical data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/462085
Signature
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
n/a
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bd91fca56344fa142bbc4d498cc74cdccec0539c53a7a64c81a3e6c419baba0a/
Threat name:
Win32.Infostealer.PonyStealer
Create hunting rule
Status:
Malicious
First seen:
2020-09-08 03:14:06 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xwi7zjldit5bik54jveyzr2m3thmau44kot2mtebuptmign2xifa._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
guloader
Create hunting rule
Similar samples:
0aa6ad540cef4f7c3583accdb2d103681f2ebf066928df8760f2b5668fbd58f2
GuLoader
15145ed8e5ae3cf2acf9ad25bbcb3f782c4d8ba9674185d06baa66ae6d17f25a
GuLoader
286c2eb8755215619d8cb48cc884091251729d5925b74444fe3b62c2c1a5acb5
GuLoader
2c80f61e5c61bb87be9e2d60e69093bcb5082fc690fcd751be787dbd118d5e57
GuLoader
68f66dd88b1a69a8ff2e63cca5e4554e1b147ccd2474d356b60a749c21412fd4
GuLoader
6b4c217c0bdb4660db2d83a8deb9e538e801e8c275e5e1fe955497970daf24c0
GuLoader
7294bdc3333d08ac9c2397b3555c0126928c13600b23de09f21841cfee83f55a
GuLoader
7d02ae5ae3ed3b7a13ff5495174216ea3195764d7154b8e9b4997c74fd08fb09
GuLoader
acd781dfe44f61dafb6b3fc6f648c4833b96872caca16e7d746c914987979dd5
GuLoader
e184f318d66c8ea996fd994937e70a67591a5f77a86058244746089ed51819ad
GuLoader
+ 22 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
trojan infostealer family:azorult spyware discovery
Link:
https://tria.ge/reports/200909-yeeekwdanj/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
JavaScript code in executable
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Azorult
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bd91fca56344fa142bbc4d498cc74cdccec0539c53a7a64c81a3e6c419baba0a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe bd91fca56344fa142bbc4d498cc74cdccec0539c53a7a64c81a3e6c419baba0a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/456075/
  
URLhaus
https://urlhaus.abuse.ch/url/456057/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/58114/

Comments