MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 092e73bea3484930380103be58ee944d620e754cfbd579e68c1fee773a478b7e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	092e73bea3484930380103be58ee944d620e754cfbd579e68c1fee773a478b7e
SHA3-384 hash:	7a28a044ea2edae6aba0f6be9911fa60a7042aebc78acbbc533fb9e9f78c3b76d2c73b8da0252045538c5883d78be2f1
SHA1 hash:	bea0a23f2cfc178f4bdd20219e7a81978747c224
MD5 hash:	4788f8a473deba2c7e3e704ce2869bfd
humanhash:	leopard-venus-two-mango
File name:	DHL_AWB# 9284730931.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	94'208 bytes
First seen:	2020-10-26 14:02:48 UTC
Last seen:	2020-10-27 00:35:51 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	02d03956d3718b494e226bdaa75e0b1f (10 x GuLoader)
ssdeep	768:DFzd9vjTtXE1zrr7U4W9t9UKDQNh8aiPwZObOF4g1FnMpNKpXP+RN/HEDAwfq9:ZjBXczrr7Udt9VDQY9PYOvQFa29
Threatray	2'711 similar samples on MalwareBazaar
TLSH	4193E723B81C5483D86587F4BE578F7D0A8FBE1478C26BDB60E20D9A7B3C5128D5E219
Reporter	abuse_ch
Tags:	DHL exe GuLoader

abuse_ch

Malspam distributing GuLoader:

From: "DHL Express"<dhl1@dhl.com>
Subject: Original Shipment Document
Attachment: DHL_AWB 9284730931.rar (contains "DHL_AWB# 9284730931.exe")

GuLoader payload URL:
https://millenium-rj.com/ozil/floow_HQaIKx54.bin

Intelligence

File Origin

# of uploads :

2

# of downloads :

142

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/79101/

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Result

Threat name:

FormBook GuLoader

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/511820

Signature

Contains functionality to hide a thread from the debugger

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Hides threads from debuggers

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Yara detected Generic Dropper

Yara detected GuLoader

Yara detected VB6 Downloader Generic

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/092e73bea3484930380103be58ee944d620e754cfbd579e68c1fee773a478b7e/

Threat name:

Win32.Trojan.Vebzenpak

Status:

Malicious

First seen:

2020-10-26 05:34:09 UTC

AV detection:

25 of 28 (89.29%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=bexhhpvdjbetaoabao7fr3uujvra45km7pkxtzumd7xhooshrn7a._file

Verdict:

malicious

Label(s):

guloader

Similar samples:

0a9055100b10ba145a65334aa2b316bc30722cd75539c6dcca168da6263040a6

3f2c710a97bb42579ee2f9956437ff160a68bd787439fbc025ab3d6b46076d34

448379f1a0a59fa0a84180351e48559c9ed7ea6875cdd525782b714a77a2fff9

44da34c94fa3c1fbc77e4d18a745b1059db381ad4e6a025a90504b2bdfa73f18

7d37b86ad0cb4b99038a10d6f95febfd7d1e096ab7ba28c6c02ada2b128873bf

8a91203698a5589c1787d9fb31dbbc30ab3229a6aee56992f9186a4d4fc4ae2c

9d4abcc57a7136faf706c30c8d644f1ac7b38a2adcff37072a4a7c356d2b8d57

d53bb8e4561477133b4510eda133bf0740c854c587f1e3d5a676c9db33e9f818

d7a99f24befa69ac2bae23e028ef9342211ed018495b34b92b9e89448532584a

f0b159a704857b45d6336160191150963d48aa792341b9a38834fb99881c8d31

+ 2'701 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/201026-q2ebr2f3fs/

Behaviour

Suspicious use of SetWindowsHookEx

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar 6aa8f328f1263bce5a5b84bb0ea02e42231ae43507ac104a25a5938024367730

exe 092e73bea3484930380103be58ee944d620e754cfbd579e68c1fee773a478b7e

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/750727/

Dropped by

MD5 0a7aca3180211f080162213c39a5b1f3

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 6aa8f328f1263bce5a5b84bb0ea02e42231ae43507ac104a25a5938024367730

Cape

Cape

https://www.capesandbox.com/analysis/79101/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample