MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f18971acfee0d02e3379175905a33f2436a786c36c310266e5c6f717d64d7d4f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	f18971acfee0d02e3379175905a33f2436a786c36c310266e5c6f717d64d7d4f
SHA3-384 hash:	698de4be87de7bf40b5692b572db7a320a6ca20dc2414792214b4ef65ede74ff5596fe773b966cfa59e91d5d70e0614b
SHA1 hash:	a9abf554ff19974df6b9a254d43f638aa6a7d0f2
MD5 hash:	0987863b5dff95a00c0f017e478cd3e0
humanhash:	finch-river-victor-jig
File name:	Prejudgments.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	102'400 bytes
First seen:	2020-08-03 14:28:03 UTC
Last seen:	2020-08-03 16:03:15 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	947b927df3029461b549c92615079e18 (1 x GuLoader)
ssdeep	768:SniS/DMAqme9dwl+6jFBSKW1pOB/iTkxXlcTNGK4avw2P/ND2r7sqNXVS/:SniuDMYe65BOqqIx6TNGK4a405cXVu
Threatray	513 similar samples on MalwareBazaar
TLSH	62A3C566A5E84239F1B7EF715D7806E7413CBC39752EC48B4EE4389E3772A089620637
Reporter	theDark3d
Tags:	GuLoader Loki

Intelligence

File Origin

# of uploads :

# of downloads :

165

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/37965/

Detection(s):

SecuriteInfo.com.Fareit-FXX0987863B5DFF.3158.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Threat name:

AgentTesla GuLoader

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/408134

Signature

Contains functionality to hide a thread from the debugger

Found malware configuration

Hides threads from debuggers

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: RegAsm connects to smtp port

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Yara detected GuLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f18971acfee0d02e3379175905a33f2436a786c36c310266e5c6f717d64d7d4f/

Threat name:

Win32.Trojan.Vebzenpak

Status:

Malicious

First seen:

2020-08-03 14:29:06 UTC

AV detection:

36 of 48 (75.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=6gexdlh64dic4m3zc5mqliz7eq3kpbwdnqyqezxfy33rpvsnpvhq._file

Verdict:

malicious

Label(s):

guloader

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/200803-c6q4drn4ta/

Behaviour

Suspicious use of SetWindowsHookEx

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Farheyt

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/f18971acfee0d02e3379175905a33f2436a786c36c310266e5c6f717d64d7d4f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/37965/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample