MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e5a816999e872c25ee4802b2602b043aeb0660633a5fec196f6d4705799bbf62. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e5a816999e872c25ee4802b2602b043aeb0660633a5fec196f6d4705799bbf62
SHA3-384 hash: ed96f0eb36a4e825fa2c42606a134e0f1149e41331a1a13b8a3a334813da8a4dfc3cd8a1bdd1f404db8edcb618c5074e
SHA1 hash: d88b1b991373a757148a131361d704fd5e070e34
MD5 hash: 708a4ae692e7f200aefc373af62b870e
humanhash: spring-india-low-magazine
File name:eMailShip Arrival document(s) awb #960597804.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:114'688 bytes
First seen:2021-08-06 13:39:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b947ef57db12504396f2fb768b954d80 (5 x GuLoader)
ssdeep 768:ZcZs5J9I4x4eQX8NnruqdCU1Dt/h8UE1hK6iCF0u98QaJZtgntTsOHGN2FEpFk4B:6C+JGNPVpeuCFT9MRgDbHkd
Threatray 3'450 similar samples on MalwareBazaar
TLSH T117B319F071A39459F192C33D8733FA1BCBE378A3951E852EB101976A1173A8D9369237
dhash icon 8000f2e8ccd4e8ba (5 x GuLoader)
Reporter abuse_ch
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
319
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
eMailShip Arrival document(s) awb #960597804.exe
Verdict:
No threats detected
Analysis date:
2021-08-06 13:54:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6f47d473-faa8-46d6-bc36-cea3d63a4584

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/177025/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.2207.23086.9953.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3eda4c57-140f-43dc-ad5c-5f86795cc89e
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/828356
Signature
Executable has a suspicious name (potential lure to open the executable)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 460812 Sample: eMailShip Arrival document(... Startdate: 06/08/2021 Architecture: WINDOWS Score: 76 41 Executable has a suspicious name (potential lure to open the executable) 2->41 43 Initial sample is a PE file and has a suspicious name 2->43 45 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->45 7 eMailShip Arrival document(s) awb #960597804.exe 1 2->7         started        10 gqdBJdt.exe 2 2->10         started        12 gqdBJdt.exe 1 2->12         started        process3 signatures4 47 Writes to foreign memory regions 7->47 49 Tries to detect Any.run 7->49 51 Hides threads from debuggers 7->51 14 RegAsm.exe 2 11 7->14         started        19 conhost.exe 10->19         started        21 conhost.exe 12->21         started        process5 dnsIp6 27 drive.google.com 142.250.186.46, 443, 49713 GOOGLEUS United States 14->27 29 googlehosted.l.googleusercontent.com 142.250.74.193, 443, 49714 GOOGLEUS United States 14->29 31 doc-14-44-docs.googleusercontent.com 14->31 25 C:\Users\user\AppData\Roaming\...\gqdBJdt.exe, PE32 14->25 dropped 33 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->33 35 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 14->35 37 Tries to detect Any.run 14->37 39 2 other signatures 14->39 23 conhost.exe 14->23         started        file7 signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e5a816999e872c25ee4802b2602b043aeb0660633a5fec196f6d4705799bbf62/
Threat name:
Win32.Trojan.VBObfuse
Create hunting rule
Status:
Malicious
First seen:
2021-08-06 13:40:17 UTC
AV detection:
14 of 47 (29.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4wubngm6q4wcl3siakzgakyehlvqmyddhjp6yglpnvdqk6m3x5ra._file
Verdict:
unknown
Similar samples:
17a00793ae886c9cae84cba40332249374010e64bd168e907d9a16076479ff29
GuLoader
250d4d5045162c39e3c1b9d637e0188089299a04106202afdf1f4826d24e27f4
GuLoader
26429a83373a49db5ad7801f324d8f1ce0aafd687ee405a44cb8d6ebebf65c15
GuLoader
37fba5e93049ee78ac1fdf1fafe945636680193ddcb1dc9533f2c9ac80d3744c
GuLoader
3cbf0aeafec688023948cad7bf7475270ba9cb1acb0078cf1a9d6288f2751a20
GuLoader
522735989689a96d0e10e926aae941e58a695062254573c5796bb129e4c7703e
GuLoader
96beaff70c51e04f38db0943eddd24ecc142ef2815d536b82655e25fbf5a54db
GuLoader
9eaaa51cdaaead40d21f14ead0122b0e9862326895d672fa803d2c6fad981602
GuLoader
a9c312936a88ac3629aa8fb5c4d6b5fe5fcad17319b825bf4b383fd807cb3f51
GuLoader
c6e5156c311412210237810450648947699d1c4862536a4e86b778e899627292
GuLoader
+ 3'440 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:guloader downloader keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210806-vkkwzjmh8a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Guloader,Cloudeye
Malware Config
C2 Extraction:
https://api.telegram.org/bot1360033246:AAF6H8m6YrL09doyxtsvJzZ_cIl__BCF4aU/sendDocument
Unpacked files
SH256 hash:
e5a816999e872c25ee4802b2602b043aeb0660633a5fec196f6d4705799bbf62
MD5 hash:
708a4ae692e7f200aefc373af62b870e
SHA1 hash:
d88b1b991373a757148a131361d704fd5e070e34
Link:
https://www.unpac.me/results/2b6f1042-d371-4409-ba08-2e9f78927c48/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e5a816999e87/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e5a816999e872c25ee4802b2602b043aeb0660633a5fec196f6d4705799bbf62

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/177025/

Comments