MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02553b25344fd73b18ed90ab5fc8e9c11100734b429e90a0527cbc1aed79e6bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 02553b25344fd73b18ed90ab5fc8e9c11100734b429e90a0527cbc1aed79e6bd
SHA3-384 hash: 5c72067c3f75ca0635595bcdb03bc5fc9bbf05e7290ee72b9ab201516378301ee51669fb3ae132786a5f0658287b7fbf
SHA1 hash: b9044a839436619055ce9350d75293a2b28bb194
MD5 hash: 84f07fb808c942462f3ab00c17782217
humanhash: thirteen-kilo-sierra-five
File name:964309_Invoice_confirmation.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:94'208 bytes
First seen:2021-01-08 08:22:16 UTC
Last seen:2021-01-08 09:50:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 690ed9eee3aab240a93936dee17050b4 (6 x GuLoader)
ssdeep 1536:WEqZdfva2ckw6GR81Zsy+wHVVQ5C6eXwoJXxL7:cTva2o68yn7woJF
TLSH B393D57FF750F732C75290F45A647E60038868361D399B4BD682261E2B78AFED528363
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: parfum-bhs.ru
Sending IP: 84.42.40.54
From: Jerry David <nataly1@parfum-bhs.ru>
Subject: Payment Confirmation..
Attachment: 964309_Invoice_confirmation.iso (contains "964309_Invoice_confirmation.exe")

GuLoader payload URL:
https://newsnowextra.com/jk/janomo_EJIMHXJx176.bin

Intelligence

File Origin
# of uploads :
2
# of downloads :
199
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
964309_Invoice_confirmation.exe
Verdict:
No threats detected
Analysis date:
2021-01-08 08:23:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5c5830a2-0ab7-4f55-8b82-d8654e2fa6b9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Guloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/110935/
Detection(s):
SecuriteInfo.com.Gen.NN.ZevbaF.34742.fm0@a0J5s2ab.12501.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/576459
Signature
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for submitted file
Potential malicious icon found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/02553b25344fd73b18ed90ab5fc8e9c11100734b429e90a0527cbc1aed79e6bd/
Threat name:
Win32.Infostealer.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-08 08:23:13 UTC
AV detection:
7 of 46 (15.22%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ajktwjjuj7ltwghnscvv7shjyeiqa42likpjbicsps6bv3lz426q._file
Verdict:
suspicious
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210108-ftpdeh1hwe/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
02553b25344fd73b18ed90ab5fc8e9c11100734b429e90a0527cbc1aed79e6bd
MD5 hash:
84f07fb808c942462f3ab00c17782217
SHA1 hash:
b9044a839436619055ce9350d75293a2b28bb194
Link:
https://www.unpac.me/results/580baad9-7f19-4253-a907-60f02df6bcbb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Dropper
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/02553b25344fd73b18ed90ab5fc8e9c11100734b429e90a0527cbc1aed79e6bd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

iso c9c063ae8844fe7913121b3cc6a4ce129496d18b7a54711e194db1939887a0f8

GuLoader

Executable exe 02553b25344fd73b18ed90ab5fc8e9c11100734b429e90a0527cbc1aed79e6bd

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/950959/
  
Dropped by
MD5 ec6dc4f54eec016a0a5d0e9a290a717c
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/110935/
  
Dropped by
SHA256 c9c063ae8844fe7913121b3cc6a4ce129496d18b7a54711e194db1939887a0f8

Comments