MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee5fd99c7fc747944fc82337291094b744fca1f9f6328551ba0f10a9f025ad52. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee5fd99c7fc747944fc82337291094b744fca1f9f6328551ba0f10a9f025ad52
SHA3-384 hash: b2275f6809c52e7c2c6830bb674822fa498021797fd3ceeb902310be0e5088a434b324e015b211e8620aad3e169c4b55
SHA1 hash: 8537615bb2fb99bc4da42951ffd5efeb7979ad32
MD5 hash: 58f24f8254aec1c067afa7c1e00903c8
humanhash: november-michigan-virginia-chicken
File name:Product Specification & Technical Data.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:754'688 bytes
First seen:2020-10-07 05:00:34 UTC
Last seen:2020-10-07 06:24:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 92604fb3a4f39675f5df0ea054782743 (4 x AgentTesla, 2 x MassLogger, 1 x GuLoader)
ssdeep 12288:VebMW1iNFCCmdS7rdGLDpvyEomix6n8DaRYqnu:rdF9mdS7kDwZTcn8u+qu
Threatray 11'287 similar samples on MalwareBazaar
TLSH 7FF47E27B2A04873C1232A389C1B5BB4EE36FE1039E8AD466BF5DD4C5F797817425293
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing unidentified malware:

From: Lo Shin Yien <support@stayntechman.com>
Subject: REFERENCE-086156
Attachment: Product Specification Technical Data.arj (contains "Product Specification & Technical Data.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
150
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68751/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending a UDP request
Result
Threat name:
AgentTesla GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/483622
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides threads from debuggers
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Agent Tesla Trojan
Yara detected AgentTesla
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 294260 Sample: Product Specification & Tec... Startdate: 07/10/2020 Architecture: WINDOWS Score: 100 23 checkip.us-east-1.prod.check-ip.aws.a2z.com 2->23 25 checkip.check-ip.aws.a2z.com 2->25 27 checkip.amazonaws.com 2->27 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Antivirus / Scanner detection for submitted sample 2->47 49 13 other signatures 2->49 9 Product Specification & Technical Data.exe 2->9         started        signatures3 process4 signatures5 59 Maps a DLL or memory area into another process 9->59 12 Product Specification & Technical Data.exe 1 9->12         started        process6 signatures7 61 Tries to detect Any.run 12->61 63 Hides threads from debuggers 12->63 15 Product Specification & Technical Data.exe 6 12->15         started        process8 dnsIp9 33 googlehosted.l.googleusercontent.com 216.58.215.225, 443, 49727 GOOGLEUS United States 15->33 35 doc-0c-3k-docs.googleusercontent.com 15->35 37 Tries to detect Any.run 15->37 39 Maps a DLL or memory area into another process 15->39 41 Hides threads from debuggers 15->41 19 Product Specification & Technical Data.exe 16 15->19         started        signatures10 process11 dnsIp12 29 enmark.com.my 110.4.45.145, 49738, 49752, 587 EXABYTES-AS-APExaBytesNetworkSdnBhdMY Malaysia 19->29 31 mail.enmark.com.my 19->31 51 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->51 53 Tries to steal Mail credentials (via file access) 19->53 55 Tries to harvest and steal ftp login credentials 19->55 57 Tries to harvest and steal browser information (history, passwords, etc) 19->57 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ee5fd99c7fc747944fc82337291094b744fca1f9f6328551ba0f10a9f025ad52/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-10-06 21:09:51 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5zp5thd7y5dzit6iem3sseeuw5cpzipz6yzikun2b4ikt4bfvvja._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
guloader
Create hunting rule
Similar samples:
0548e8d5359f46894fe4872bbba30cc48775d5fb909eba94e3534c8b018976af
GuLoader
2bb3ec5f6e8830a1b8e87a95bcb53406688386e7dd33149bb8117318f28faba9
GuLoader
4f8130693067523c153d09b000e48e744ca3b86388221a840349746ea6e561df
GuLoader
554da92aa0dff594ff82094b0a8e8125419723e8899c670f7b8d74daf0580880
GuLoader
57d8c785d274b5dad9441ec2211c49ef5fd5abef5ebb5275f9dd6b8e8ecfff21
GuLoader
7c15dd07b223275e68dd8034583f12a73fc19f2d42abede56ed8d0dfdc92edc6
GuLoader
a3cae0aae6bb5a0d6b4710e161925a315fd3ef4a5bfef88eea9fee94b35874d4
GuLoader
a9abad7f4aace35de5651f437a83f47787606345d04ea63426db6a7a9b02ba5e
GuLoader
b1667a4eee2a104e32fd9071a6de2ee27634d2e181350b329d58f54b12bd2931
GuLoader
cb13103e3eea22e8a647dd2fbf265c728b6360b15a0c46eb5b287c26acdd2c7d
GuLoader
+ 11'277 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201007-vwf7r4g8kn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
ee5fd99c7fc747944fc82337291094b744fca1f9f6328551ba0f10a9f025ad52
MD5 hash:
58f24f8254aec1c067afa7c1e00903c8
SHA1 hash:
8537615bb2fb99bc4da42951ffd5efeb7979ad32
Link:
https://www.unpac.me/results/c74f4509-4598-4d2e-8e18-e26e46daf002/
SH256 hash:
d39b1630645405209dc863198dc3792778634d27cfa30e9e1f61654ab7c442fa
MD5 hash:
06a98d60ac5d7a7adaad1c9a8f2f77a9
SHA1 hash:
c54a782f93c38de916ed0d329644836ccc7fc24b
Link:
https://www.unpac.me/results/c74f4509-4598-4d2e-8e18-e26e46daf002/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ee5fd99c7fc747944fc82337291094b744fca1f9f6328551ba0f10a9f025ad52

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

arj 2371512e5a006e4d27e04fdaf3b41205c850869535db847350eddafee5f1bf1d

GuLoader

Executable exe ee5fd99c7fc747944fc82337291094b744fca1f9f6328551ba0f10a9f025ad52

(this sample)

  
Dropped by
MD5 259c0ee152222c73a06db2a5787d6b6e
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 2371512e5a006e4d27e04fdaf3b41205c850869535db847350eddafee5f1bf1d
Cape
Cape
https://www.capesandbox.com/analysis/68751/

Comments