MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 010178bde9e8366d4f93c28ab8a65a7acb802353f9370de9a807ed621fa3d24d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 010178bde9e8366d4f93c28ab8a65a7acb802353f9370de9a807ed621fa3d24d
SHA3-384 hash: 37557f69b62b8d9b2f2c22e86022255ce55650ffec624194f5ca4034ad5047db228e3ea248f6642fc9c6e0b1c29707d5
SHA1 hash: 734dcee99ca6c86283e71a235a62ce79e05e30e6
MD5 hash: 9162eb06c5fc08a948d4b970982f535f
humanhash: november-oxygen-bakerloo-alaska
File name:INQ. NO. INQ-18330.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:86'016 bytes
First seen:2020-08-05 07:58:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d0c5af9ab1ee0733eba772694800f65f (1 x GuLoader)
ssdeep 768:Jr9fVYxlcf0j+Kv4C/3ASfwm9yAmsc90w5Dr:JhfCccvv73A6wfZOw5D
Threatray 1'926 similar samples on MalwareBazaar
TLSH BC834B116188E932F315C6F17B3646BB413FBE300946CF0B75583E2A3E36E5AA969317
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: serve0.alibcompositeltd.pw
Sending IP: 104.168.190.254
From: F. Rabbi & Co<info@alibcompositeltd.pw>
Reply-To: <swadeshi.bsnl.co.in@gmail.com>
Subject: DICLOFENAC SODIUM - PANACEA PHARMACEUTICALS
Attachment: INQ. NO. INQ-18330.zip (contains "INQ. NO. INQ-18330.exe")

GuLoader payload URL:
http://anakleather.ir/debere_CdyjwbXV11.bin

Intelligence

File Origin
# of uploads :
1
# of downloads :
135
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/39141/
Detection(s):
SecuriteInfo.com.Fareit-FXX9162EB06C5FC.28707.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/410450
Signature
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect Any.run
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/010178bde9e8366d4f93c28ab8a65a7acb802353f9370de9a807ed621fa3d24d/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2020-08-05 00:14:39 UTC
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=aeaxrppj5a3g2t4tykflrjs2plfyai2t7e3q32nia7wweh5d2jgq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
guloader
Create hunting rule
Similar samples:
23f8a240f24779895ffce4e489da04e8cc2c705b2311e13a44432a6ef1b1b430
GuLoader
2786efe3773e80f8c604fcc48b4f24911d86c7d5b1df5d19c4e17b1002255e64
GuLoader
53e239b6031b90ba0da5ad4913eccc1d651ede3bb4b5c21a02d81387f48303d6
GuLoader
7ba1021aa7ca0d20da2e205ff413a3153f4f3bb444a8a2bdfc0d97d3348b84be
GuLoader
8d88c99ff33ecbed42e4185b925f890a616aa0307a559d61595ab67dae6a1a09
GuLoader
8fa47ee760cf1c21de132ec77eef49282a2312f197aba6026ee1de750051014b
GuLoader
a077d38903221c844f9f20a8c6e022a3242445b85faa55e8e650b7a727e048ae
GuLoader
ceaa099f2a2de97a363ef5f7cd4e42fc5f362113a470db75d69848e24a52b14c
GuLoader
e43b2e9112cfdb0636686ec8994eaf717d159d10daefda23f11588a424468e90
GuLoader
e7e511b27ab7c95f959c45346cc2e4d79251e238e8e57df181be987036bfcdf5
GuLoader
+ 1'916 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/200805-dancngv1ej/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of SetWindowsHookEx
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/010178bde9e8366d4f93c28ab8a65a7acb802353f9370de9a807ed621fa3d24d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip 5e30aa1ed29d53fe6d89ecd56137398077c508fb5599bc381705311df349cf2d

GuLoader

Executable exe 010178bde9e8366d4f93c28ab8a65a7acb802353f9370de9a807ed621fa3d24d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/424599/
  
Dropped by
MD5 ef000315e7bdfbd31761fd3d4e9c0a48
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 5e30aa1ed29d53fe6d89ecd56137398077c508fb5599bc381705311df349cf2d
Cape
Cape
https://www.capesandbox.com/analysis/39141/

Comments