MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fee0d04292d5bb7b74e3fdfba682f02302c70ffcbc69a7d572fa9e190a683e64. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fee0d04292d5bb7b74e3fdfba682f02302c70ffcbc69a7d572fa9e190a683e64
SHA3-384 hash: fcaff59c3a887a4c9d139f585a958975a8d2e43a0ff68858c4b99f2f6a8d8771806d042382065ed5e8814315d6230733
SHA1 hash: b58e6ab2359544f6c6cd74415330ace4fae8f820
MD5 hash: e33c0dd8cefda67b901c37aeca4b5f2f
humanhash: asparagus-iowa-monkey-earth
File name:Bank Payment Details.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:86'016 bytes
First seen:2020-08-12 06:37:35 UTC
Last seen:2020-08-12 07:58:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a15360462f359df8cfc9e4d782ed4e9c (1 x GuLoader)
ssdeep 768:9ARDlcI5TYRfFtuUX1D9ejfe6+hVKHoRFmLttedWz6D:9qpcxtuUXtcjfe6vHoRFifCWz6
Threatray 236 similar samples on MalwareBazaar
TLSH B2834B11AAC8F632F219C6B81E3999F354B6BC3149078F87A8253E5B7E76E03E450357
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: msr13.hinet.net
Sending IP: 168.95.4.113
From: sales.br@marel.com
Subject: Error in PAYMENT DETAILS . PLS CHECK NOW
Attachment: Bank Payment Details.7z (contains "Bank Payment Details.exe")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=1tgfsKIR7m1jSEhfvgjjR3D9WR3iqrJE7

Intelligence

File Origin
# of uploads :
2
# of downloads :
136
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/43942/
Detection(s):
SecuriteInfo.com.Variant.Graftor.814706.7258.29039.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Creating a file
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Forced shutdown of a system process
Setting a single autorun event
Unauthorized injection to a system process
Result
Threat name:
AgentTesla GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/421480
Signature
Contains functionality to hide a thread from the debugger
Executable has a suspicious name (potential lure to open the executable)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect Any.run
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 263187 Sample: Bank Payment Details.exe Startdate: 12/08/2020 Architecture: WINDOWS Score: 100 49 Yara detected GuLoader 2->49 51 Yara detected AgentTesla 2->51 53 Executable has a suspicious name (potential lure to open the executable) 2->53 55 Initial sample is a PE file and has a suspicious name 2->55 7 Bank Payment Details.exe 1 2->7         started        10 filename1.exe 1 2->10         started        12 filename1.exe 1 2->12         started        process3 signatures4 57 Writes to foreign memory regions 7->57 59 Tries to detect Any.run 7->59 61 Hides threads from debuggers 7->61 14 RegAsm.exe 1 13 7->14         started        19 RegAsm.exe 12 10->19         started        21 RegAsm.exe 12->21         started        process5 dnsIp6 29 googlehosted.l.googleusercontent.com 216.58.215.225, 443, 49734, 49742 GOOGLEUS United States 14->29 31 doc-00-84-docs.googleusercontent.com 14->31 27 C:\Users\user\subfolder1\filename1.exe, PE32 14->27 dropped 35 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->35 37 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->37 39 Tries to steal Mail credentials (via file access) 14->39 47 2 other signatures 14->47 23 conhost.exe 14->23         started        33 doc-0s-a0-docs.googleusercontent.com 19->33 41 Tries to harvest and steal browser information (history, passwords, etc) 19->41 43 Tries to detect Any.run 19->43 45 Hides threads from debuggers 19->45 25 conhost.exe 19->25         started        file7 signatures8 process9
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fee0d04292d5bb7b74e3fdfba682f02302c70ffcbc69a7d572fa9e190a683e64/
Threat name:
Win32.Trojan.Graftor
Create hunting rule
Status:
Malicious
First seen:
2020-08-12 06:39:09 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=73qnaqus2w5xw5hd7x52naxqembmod74xru2pvls7kpbsctihzsa._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
0213d8db1a9c13b9dc0926e8102e937054512783c310e9b9ede0f069271ea727
GuLoader
0a699d50cee9fc3eb46b0703c5502a84fbb357757853e25474683baf8f477fe0
GuLoader
0d3054972b35fa5c6f67ba30f1495823dda35917b171af358242c20293e2bbbb
GuLoader
353be7f64ffa25bf3d8ea90b55b9b288633883f00f328841007f82324a37a4d7
GuLoader
45e3a9f28c7e79a55264a5c88490dfe51a73639eac96e29f724bdc96232e341b
GuLoader
4d304c854141d69a578a006c7982fe1b915f5424b017c46e25ec65301c66f395
GuLoader
b7c38b8ca8e90da906c7df9ea379e0c9386780ee32b174cd1f82cd8662822efc
GuLoader
bfd922757fc0667e42b7d5de0b6cf78f7a08a335b3beef49782be73b8433619e
GuLoader
d251c653db7e7df1e0d7858d8e1870055a5ccdd5749295c1a41a1e47f2a3c109
GuLoader
f27eb43c59ea9a9f7ffc4e9bb14e67fd1667825c0e8851d4a1abb9441180076a
GuLoader
+ 226 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
spyware persistence
Link:
https://tria.ge/reports/200812-gr62zw67ne/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.10
Link:
https://yomi.yoroi.company/submissions/fee0d04292d5bb7b74e3fdfba682f02302c70ffcbc69a7d572fa9e190a683e64

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

7z d287556cdf81a0164be5a8690a7b71206533e9d6287da1aeac1238832b4de38e

GuLoader

Executable exe fee0d04292d5bb7b74e3fdfba682f02302c70ffcbc69a7d572fa9e190a683e64

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/429872/
  
Dropped by
MD5 8421237a4a900bb67fae6ba1849c8287
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/43942/
  
Dropped by
SHA256 d287556cdf81a0164be5a8690a7b71206533e9d6287da1aeac1238832b4de38e

Comments