MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c845d091a060520675309673246e766d1e61bd90ee0e46e1ba46fc08e1cd1ead. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c845d091a060520675309673246e766d1e61bd90ee0e46e1ba46fc08e1cd1ead
SHA3-384 hash: a5acb684a2c8d46750aefba85809ee08a24d43a6816dea8dd6f65ca46c1df60e3ea49e84fd17c8c6c29cc77468428ad6
SHA1 hash: cac765a4ac0c38822143c28d44c2b7b4aaaa1c3c
MD5 hash: 7c18961a1aab50c8d092ee1285d5f354
humanhash: hamper-washington-beryllium-nebraska
File name:PO.pdf.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:65'536 bytes
First seen:2020-10-06 06:04:54 UTC
Last seen:2020-10-06 07:22:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b05ff7faf0ef7c5daecbf99f3a4e5a6f (6 x GuLoader)
ssdeep 768:Pk5WJesbbC+MrPrjlXj49tR5o5qG5Y0HQ8TdaA:CWjbC+MDrjlXj4Z5sqG3T
Threatray 2'263 similar samples on MalwareBazaar
TLSH 9153C1B9A3C99C16F40DFDB00E5283904C527D707EE98A87A4787B3A1872B6E7C1175B
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: sipau1-19.nexcess.net
Sending IP: 103.242.92.13
From: Azmi Alshanti <Office-Purchasing@mail.com>
Subject: Possible Inquiry
Attachment: Possible Inquiry.pdf.zip (contains "PO.pdf.exe")

GuLoader payload URL:
https://onedrive.live.com/download?cid=7A41C5DF29C70D9C&resid=7A41C5DF29C70D9C%21118&authkey=AGpYDF93tk1PiOc

Intelligence

File Origin
# of uploads :
2
# of downloads :
157
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68437/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Result
Threat name:
AgentTesla GuLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/482369
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Potential malicious icon found
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c845d091a060520675309673246e766d1e61bd90ee0e46e1ba46fc08e1cd1ead/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2020-10-06 02:05:38 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zbc5benambjam5jqszzsi3twnupgdpmq5yhenyn2i36aryond2wq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
1289d591984de5325235e57987ab171b4ae3f9d55baf3476087677805922427f
GuLoader
14eb827b600c3f7ccf2af766d0fec868e6b0467eba9264f19b75427f95ef7cfa
GuLoader
3b6460bb14fdce88ab8ec80e5cbfecbb15bbc09de1e75c51246d1c670925b340
GuLoader
50eb8b54c87303301b6614c07195bef8121ab2f99685ced448b915f9e6f0fc15
GuLoader
6964c8791bbf63ce0cf1dac7e62486fd3398d16c72774904fd3a7ca4f3957fff
GuLoader
99d07b0682434235023da65216efdcc624d66c436e80745614315d4c68e8735f
GuLoader
c83ae5695c48f86c4a90f32a1c2e2cf93656d6880e8e5322f671ef79a98fe934
GuLoader
d29fa6e0fa83a4332afc39315b3961e609bddc91c1b60590c82b009d20cd9f3a
GuLoader
d9295800a68a51a4aab09c2785cd7887e867b59b267a1b2c27e0b06be7d1752e
GuLoader
ecbbdea89347df30a9575353b8886499a88d30f5606f60c922c62e4a56637c74
GuLoader
+ 2'253 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201006-fzyk7kn7l2/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
c845d091a060520675309673246e766d1e61bd90ee0e46e1ba46fc08e1cd1ead
MD5 hash:
7c18961a1aab50c8d092ee1285d5f354
SHA1 hash:
cac765a4ac0c38822143c28d44c2b7b4aaaa1c3c
Link:
https://www.unpac.me/results/59e18de3-1acb-4af1-9c0c-b9d1d21a2906/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/c845d091a060520675309673246e766d1e61bd90ee0e46e1ba46fc08e1cd1ead

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip b3190586045b742face7fe9f90e71caa6960a46715d7f1978cced2eac1c56310

GuLoader

Executable exe c845d091a060520675309673246e766d1e61bd90ee0e46e1ba46fc08e1cd1ead

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/658347/
  
Dropped by
MD5 95c99bda07156806839a52afcf3b638b
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 b3190586045b742face7fe9f90e71caa6960a46715d7f1978cced2eac1c56310
Cape
Cape
https://www.capesandbox.com/analysis/68437/

Comments