MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1dfc1867ced521cbf61f7bbe647e8a6e5bdd3a05e22c05dcee20660e236d5812. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	1dfc1867ced521cbf61f7bbe647e8a6e5bdd3a05e22c05dcee20660e236d5812
SHA3-384 hash:	8129614b0d9369ac780d6e775743a3d6d727144fa1cfb1137246ed82028419e95f93201f30c11529cf301137efb906aa
SHA1 hash:	3a10ce9c17ce932e1866b71766e637973d56adc6
MD5 hash:	e224b89fc85c46253d7b733764fe415c
humanhash:	kansas-spring-pennsylvania-ohio
File name:	New Supplier inquiry 07030810HAMZ_ doc.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	81'920 bytes
First seen:	2020-07-31 12:16:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e062b7472f0914496d75030cc40faa01 (1 x GuLoader)
ssdeep	768:efNXgz/ie7Q/g4tp63k41vRwquCJcIYhTeoCz+NMDh:eXgObLt14oquScPTZNah
Threatray	714 similar samples on MalwareBazaar
TLSH	9D834B4267D49432FB65C5F56F36AEA7417FEC300810CA0BA5A43E1EAFB6B06D42035B
Reporter	abuse_ch
Tags:	exe GuLoader

abuse_ch

Malspam distributing GuLoader:

HELO: smtp.aonbd.net
Sending IP: 117.58.240.41
From: Purchase A. S <info@brookvvoodcos.com>
Subject: Re: New Supplier enquiry-PO/Contract Brookswoods
Attachment: New Supplier inquiry 07030810HAMZ_ doc.uu (contains "New Supplier inquiry 07030810HAMZ_ doc.exe")

GuLoader payload URL:
http://baritaco.com/waz30_OIwzej222.bin

Intelligence

File Origin

# of uploads :

# of downloads :

160

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/36501/

Result

Threat name:

GuLoader

Detection:

malicious

Classification:

troj.evad

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/406057

Signature

Contains functionality to hide a thread from the debugger

Creates autostart registry keys with suspicious values (likely registry only malware)

Hides threads from debuggers

Tries to detect virtualization through RDTSC time measurements

Yara detected GuLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1dfc1867ced521cbf61f7bbe647e8a6e5bdd3a05e22c05dcee20660e236d5812/

Threat name:

Win32.Trojan.Vebzenpak

Status:

Malicious

First seen:

2020-07-31 01:20:00 UTC

AV detection:

32 of 48 (66.67%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=dx6bqz6o2uq4x5q7po7gi7uknzn52oqf4iwalxhoebta4i3nlaja._file

Verdict:

malicious

Label(s):

guloader

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/200731-8wjksmelrs/

Behaviour

Suspicious use of SetWindowsHookEx

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1dfc1867ced521cbf61f7bbe647e8a6e5bdd3a05e22c05dcee20660e236d5812

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

rar 6d9686298776898336ef41f6818118fb3ac47492042943e4068c3c89b51c2bbf

GuLoader

exe 1dfc1867ced521cbf61f7bbe647e8a6e5bdd3a05e22c05dcee20660e236d5812

(this sample)

Dropped by

MD5 644892757eee7cf70c0c9afdfbea38ba

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/36501/

Dropped by

SHA256 6d9686298776898336ef41f6818118fb3ac47492042943e4068c3c89b51c2bbf

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample