MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e8b09f7077354fc4eac453773e0404cfcb88694939d7604165d0ea768249050d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e8b09f7077354fc4eac453773e0404cfcb88694939d7604165d0ea768249050d
SHA3-384 hash: b1b03574a682c162705852abe697af2d21888914f6432a2127d3cec4f03ed0c2fc64ccd84be8b2c75e82a7db19df5079
SHA1 hash: c0d05974370965a8130a1b6f44ba83c5e536dbb0
MD5 hash: 2dbb9f7bea80db4daaeeccf43e21b59d
humanhash: low-xray-paris-vegan
File name:SWIFT-89,362 EUR.jpg.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:86'016 bytes
First seen:2020-08-04 15:26:00 UTC
Last seen:2020-08-04 15:56:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6d57a2066a14899d5d329f1129d874cc (5 x GuLoader)
ssdeep 768:cpsZIHD5x2YVhGfyw9TzGS5cWPC6h27UPcv0tk9p:cKZWxNVYyw1ztcWgKtk9
Threatray 90 similar samples on MalwareBazaar
TLSH CC834A2165C8E571F706C2B42B3A56F7417AAD70884ECF0B75483F1B2AF3E159AA0367
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: mta1.witecompanyglobal.ga
Sending IP: 142.11.194.198
From: Muhammad Sarmad Sultan <sales@witecompanyglobal.ga>
Reply-To: paulas@sigrnfg.com
Subject: RE: Fw: Edgar Hohls
Attachment: SWIFT-89,362 EUR.jpg.zip (contains "SWIFT-89,362 EUR.jpg.exe")

GuLoader payload URL:
https://onedrive.live.com/download?cid=8E778D4A23C91A07&resid=8E778D4A23C91A07%21117&authkey=AO5mGHew7uCYUr8

Intelligence

File Origin
# of uploads :
2
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/38819/
Detection(s):
SecuriteInfo.com.Fareit-FXX2DBB9F7BEA80.8230.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Creating a file
Deleting a recently created file
Creating a process from a recently created file
Connection attempt
Launching cmd.exe command interpreter
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Result
Threat name:
AgentTesla FormBook GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/409705
Signature
Contains functionality to hide a thread from the debugger
Drops PE files to the user root directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 257129 Sample: SWIFT-89,362 EUR.jpg.exe Startdate: 04/08/2020 Architecture: WINDOWS Score: 100 79 Malicious sample detected (through community Yara rule) 2->79 81 Yara detected GuLoader 2->81 83 Yara detected AgentTesla 2->83 85 4 other signatures 2->85 12 SWIFT-89,362 EUR.jpg.exe 1 2->12         started        process3 signatures4 101 Writes to foreign memory regions 12->101 103 Tries to detect Any.run 12->103 105 Hides threads from debuggers 12->105 15 RegAsm.exe 2 15 12->15         started        process5 dnsIp6 59 wvh9tw.dm.files.1drv.com 15->59 61 wvgyla.dm.files.1drv.com 15->61 63 onedrive.live.com 15->63 47 C:\Users\user\preverifying.exe, PE32 15->47 dropped 49 C:\Users\user\AppData\Local\...\Mymp4.exe, PE32 15->49 dropped 71 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->71 73 Tries to steal Mail credentials (via file access) 15->73 75 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 15->75 77 8 other signatures 15->77 20 preverifying.exe 1 15->20         started        23 conhost.exe 15->23         started        file7 signatures8 process9 signatures10 87 Tries to detect Any.run 20->87 89 Tries to detect virtualization through RDTSC time measurements 20->89 91 Hides threads from debuggers 20->91 25 preverifying.exe 6 20->25         started        process11 dnsIp12 51 wvjiqg.dm.files.1drv.com 25->51 53 onedrive.live.com 25->53 93 Modifies the context of a thread in another process (thread injection) 25->93 95 Tries to detect Any.run 25->95 97 Maps a DLL or memory area into another process 25->97 99 3 other signatures 25->99 29 explorer.exe 3 25->29 injected signatures13 process14 dnsIp15 55 www.hermes-gtd.com 29->55 57 www.alsoryplast.com 29->57 32 systray.exe 29->32         started        35 Mymp4.exe 29->35         started        37 Mymp4.exe 29->37         started        process16 signatures17 65 Modifies the context of a thread in another process (thread injection) 32->65 67 Maps a DLL or memory area into another process 32->67 69 Tries to detect virtualization through RDTSC time measurements 32->69 39 cmd.exe 32->39         started        41 conhost.exe 35->41         started        43 conhost.exe 37->43         started        process18 process19 45 conhost.exe 39->45         started       
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e8b09f7077354fc4eac453773e0404cfcb88694939d7604165d0ea768249050d/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2020-08-04 15:27:03 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5cyj64dxgvh4j2wekn3t4baez7fyq2kjhhlwaqlf2dvhnasjaugq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
010178bde9e8366d4f93c28ab8a65a7acb802353f9370de9a807ed621fa3d24d
GuLoader
0e5007396123f9b1a018685b7cf2e42cc508b58ab216df305808f65408f21388
GuLoader
121ae52814e12a816b25602c6db7ae2a86af12b1b11e9c06874b9b03c3c81e98
GuLoader
4b39340a9efe9d10ca32c47ef9c738f51248289d27235286f45c9eb079f59d63
GuLoader
5b8bcca6874eb87a0653adc3137d69a11c33c64a0087ad63646f39111ac2e62c
GuLoader
70da37182d8bd664853445333e0d7d594355e64287daf830ef307a1aae9f7e2a
GuLoader
77168234eb706333e4835666a00a8fd8e110959660c97e5c5528ed3a3d0f5081
GuLoader
8d88c99ff33ecbed42e4185b925f890a616aa0307a559d61595ab67dae6a1a09
GuLoader
c688c6b0f5bd44c8d37e810000892ce8d0e2225f1dd04a92d454fd60c7cdc779
GuLoader
d9073504ba97540b65006d851251f330bcfb130500daad9a7f8616cb5a6a9ba0
GuLoader
+ 80 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook persistence keylogger family:agenttesla evasion
Link:
https://tria.ge/reports/200804-zfpm7p9cce/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: MapViewOfSection
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run key to start application
Reads user/profile data of web browsers
Loads dropped DLL
Reads user/profile data of local email clients
Reads data files stored by FTP clients
Executes dropped EXE
Formbook Payload
Formbook
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.10
Link:
https://yomi.yoroi.company/submissions/e8b09f7077354fc4eac453773e0404cfcb88694939d7604165d0ea768249050d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip a1812bb7b577d2109185a529f90d82082b630e5e50ff96bcbea762806d60cada

GuLoader

Executable exe e8b09f7077354fc4eac453773e0404cfcb88694939d7604165d0ea768249050d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/424356/
  
Dropped by
MD5 59d752f17403556207af68fb691552c8
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/38819/
  
Dropped by
SHA256 a1812bb7b577d2109185a529f90d82082b630e5e50ff96bcbea762806d60cada

Comments