MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd9a58a1ecdcfcfe67bc1eb8d2d2d35ec30a93651c6c60cca4c519b19c20be39. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fd9a58a1ecdcfcfe67bc1eb8d2d2d35ec30a93651c6c60cca4c519b19c20be39
SHA3-384 hash: 1b15efe7fadebb355e5d12698e64b6d9345ce5bdbaebc2eac55475aaea5a1e27570111bc42fba15ad04eca1f3180b6dc
SHA1 hash: 58b1e8c5ae40698016d3a1e1a82caa73b147b15f
MD5 hash: 2febe1778eb937eb0e093df5c2f2239d
humanhash: paris-virginia-twenty-west
File name:possible PO.pdf.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:65'536 bytes
First seen:2020-10-07 05:03:07 UTC
Last seen:2020-10-07 06:24:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d69f519ae42d0f7dbb0f0ea17eed53bc (6 x GuLoader)
ssdeep 384:3cXTIdQ9QXrvI/N2taxaOsshXEFop3G1WKF7KX4nhmLV8ewvQtuNp2O2:3zdQ9QXrvrt0tssPlLKF7KX4k6K4NAO
Threatray 2'264 similar samples on MalwareBazaar
TLSH B1539F7EA3E8DC51F1ACFD7407619A940C25BC317DE8884729B87BBA063376C6E60257
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: sipau1-19.nexcess.net
Sending IP: 103.242.92.13
From: Azmi Alshanti <Office-Purchasing@mail.com>
Subject: Possible Inquiry
Attachment: possible PO.pdf.zip (contains "possible PO.pdf.exe")

GuLoader payload URL:
https://onedrive.live.com/download?cid=7A41C5DF29C70D9C&resid=7A41C5DF29C70D9C%21120&authkey=ANb4_N57gW8qfaA

Intelligence

File Origin
# of uploads :
2
# of downloads :
157
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68763/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Result
Threat name:
AgentTesla GuLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/483644
Signature
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found malware configuration
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Potential malicious icon found
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 294272 Sample: possible PO.pdf.exe Startdate: 07/10/2020 Architecture: WINDOWS Score: 100 21 smtp.yandex.ru 2->21 23 smtp.yandex.com 2->23 31 Potential malicious icon found 2->31 33 Found malware configuration 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 9 other signatures 2->37 8 possible PO.pdf.exe 2->8         started        signatures3 process4 signatures5 39 Writes to foreign memory regions 8->39 41 Tries to detect Any.run 8->41 43 Hides threads from debuggers 8->43 11 RegAsm.exe 15 9 8->11         started        15 RegAsm.exe 8->15         started        17 RegAsm.exe 8->17         started        process6 dnsIp7 25 elb097307-934924932.us-east-1.elb.amazonaws.com 23.21.109.69, 443, 49757 AMAZON-AESUS United States 11->25 27 onedrive.live.com 11->27 29 3 other IPs or domains 11->29 45 Tries to steal Mail credentials (via file access) 11->45 47 Tries to harvest and steal ftp login credentials 11->47 49 Tries to harvest and steal browser information (history, passwords, etc) 11->49 57 3 other signatures 11->57 19 conhost.exe 11->19         started        51 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->51 53 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 15->53 55 Contains functionality to detect hardware virtualization (CPUID execution measurement) 15->55 59 2 other signatures 15->59 signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fd9a58a1ecdcfcfe67bc1eb8d2d2d35ec30a93651c6c60cca4c519b19c20be39/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2020-10-07 01:58:26 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7wnfripm3t6p4z54d24nfuwtl3bqve3fdrwgbtfeyum3dhbaxy4q._file
Verdict:
suspicious
Similar samples:
1289d591984de5325235e57987ab171b4ae3f9d55baf3476087677805922427f
GuLoader
14eb827b600c3f7ccf2af766d0fec868e6b0467eba9264f19b75427f95ef7cfa
GuLoader
3b6460bb14fdce88ab8ec80e5cbfecbb15bbc09de1e75c51246d1c670925b340
GuLoader
50eb8b54c87303301b6614c07195bef8121ab2f99685ced448b915f9e6f0fc15
GuLoader
6964c8791bbf63ce0cf1dac7e62486fd3398d16c72774904fd3a7ca4f3957fff
GuLoader
784d9c10d108190a9e18b3d5756404a3e63fd728abd648225cbbf80c4f78fe76
GuLoader
99d07b0682434235023da65216efdcc624d66c436e80745614315d4c68e8735f
GuLoader
c83ae5695c48f86c4a90f32a1c2e2cf93656d6880e8e5322f671ef79a98fe934
GuLoader
c845d091a060520675309673246e766d1e61bd90ee0e46e1ba46fc08e1cd1ead
GuLoader
ecbbdea89347df30a9575353b8886499a88d30f5606f60c922c62e4a56637c74
GuLoader
+ 2'254 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201007-fqzcqtawtn/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
fd9a58a1ecdcfcfe67bc1eb8d2d2d35ec30a93651c6c60cca4c519b19c20be39
MD5 hash:
2febe1778eb937eb0e093df5c2f2239d
SHA1 hash:
58b1e8c5ae40698016d3a1e1a82caa73b147b15f
Link:
https://www.unpac.me/results/6b8a818e-e30a-4c91-a91e-5c8e4f880da8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/fd9a58a1ecdcfcfe67bc1eb8d2d2d35ec30a93651c6c60cca4c519b19c20be39

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip 4be6330f8de3ceaf55f723debdebb04969e33e2c2752ffe9065ed5831117765b

GuLoader

Executable exe fd9a58a1ecdcfcfe67bc1eb8d2d2d35ec30a93651c6c60cca4c519b19c20be39

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/663170/
  
Dropped by
MD5 9a75febd58f02a74beb639cbeb0f3b2c
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/68763/
  
Dropped by
SHA256 4be6330f8de3ceaf55f723debdebb04969e33e2c2752ffe9065ed5831117765b

Comments