MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c7081e0e58dc4c306138f6287a984eee9ac748fb537394a6632688077857a09. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0c7081e0e58dc4c306138f6287a984eee9ac748fb537394a6632688077857a09
SHA3-384 hash: 94d770570c0d6cbd275d1c261243a6b608fd3b0006905e8788b441836a7b0813d1bfbfe971b949de6873f5ffb7365241
SHA1 hash: 6c9ff836d72150944a6b78f26b9e608170424cf4
MD5 hash: f73e8ec3fae604ade68d648af421cc64
humanhash: king-romeo-freddie-eleven
File name:AWB DHL 7214306201 Shipment Notification.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:450'536 bytes
First seen:2022-09-27 05:58:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6e7f9a29f2c85394521a08b9f31f6275 (277 x GuLoader, 44 x RemcosRAT, 40 x VIPKeylogger)
ssdeep 12288:G3ZfmTsbYHtTITbCRJNKZ7Ikwpxw+niZ+cVOdiT:G3ZfmTksIe5Fxwx7
Threatray 2'115 similar samples on MalwareBazaar
TLSH T115A4236196F1D827D9544F7348131226B6BA6D213CB3868F5F847F9D3DF86808E4E0AD
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:DHL exe GuLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
249
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/313813/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/39405/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
75%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/633291275291e4a063ec08b8/reports/dc9e3433-5e89-48c3-ae34-360690f75bb6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/711e810e-fc3a-4eea-82ef-831c227fe128
Result
Threat name:
AgentTesla, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1078087
Signature
Installs a global keyboard hook
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 710642 Sample: AWB DHL 7214306201 Shipment... Startdate: 27/09/2022 Architecture: WINDOWS Score: 100 26 sl-industries.com 2->26 28 mail.sl-industries.com 2->28 30 3 other IPs or domains 2->30 38 Multi AV Scanner detection for submitted file 2->38 40 Yara detected GuLoader 2->40 42 Yara detected AgentTesla 2->42 44 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->44 8 AWB DHL 7214306201 Shipment Notification.exe 2 41 2->8         started        signatures3 process4 file5 18 C:\Users\user\AppData\Local\...\System.dll, PE32 8->18 dropped 20 C:\Users\user\AppData\Local\...\libpsl-5.dll, PE32+ 8->20 dropped 22 C:\Users\user\...\eventlog_provider.dll, PE32+ 8->22 dropped 24 2 other files (none is malicious) 8->24 dropped 46 Writes to foreign memory regions 8->46 48 Tries to detect Any.run 8->48 12 CasPol.exe 19 8->12         started        signatures6 process7 dnsIp8 32 sl-industries.com 67.21.32.181, 49837, 49838, 587 H4Y-TECHNOLOGIESUS United States 12->32 34 googlehosted.l.googleusercontent.com 142.250.185.193, 443, 49835 GOOGLEUS United States 12->34 36 drive.google.com 172.217.16.206, 443, 49834 GOOGLEUS United States 12->36 50 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->50 52 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->52 54 Tries to steal Mail credentials (via file / registry access) 12->54 56 5 other signatures 12->56 16 conhost.exe 12->16         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0c7081e0e58dc4c306138f6287a984eee9ac748fb537394a6632688077857a09/
Threat name:
Win32.Trojan.GenericML
Create hunting rule
Status:
Malicious
First seen:
2022-09-27 00:08:37 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bryidyhfrxcmgbqtr5ripkme53u2y5epwu3tsstggjuia54fpieq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
169b591d42ac6dac4d0c5b803e6c4edcab60608f0983a8334339857e4a7588ee
GuLoader
602c4a00381adeeeaccbf4d58fc095e8e9e5af92badd8c6c4b3a6c374e17c3f9
GuLoader
69d141096955a35ede46b91e97129df4d8faead0e19c9b0badf180b7b0c8600f
GuLoader
788510bf3fc20aacc76bd0ed1884ff8452f4e79023f2f3ad3072efbd7e74139d
GuLoader
80e6370840a0f7058b777a5be72d7fe71f3dadcc5c0ec082c564e7decb5b1895
GuLoader
8532972f199b85a336710c894ddebea7560f7f19c774b52a0d648275960e4db4
GuLoader
a9cb56006e0f08d147eb1aa68eab06ca2663ed3c7866bb110c5cae06fbf4768f
GuLoader
e0bf87c8ef8c048b6245ada3bf252c6de8ee83c8b2bcd293929eb83ea21073ba
GuLoader
+ 2'105 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/220927-gpqzxacfg3/
Behaviour
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Drops file in System32 directory
Loads dropped DLL
Guloader,Cloudeye
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/41918550-d78f-4f97-a306-b64a9d3e90cb
Unpacked files
SH256 hash:
acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506
MD5 hash:
6e55a6e7c3fdbd244042eb15cb1ec739
SHA1 hash:
070ea80e2192abc42f358d47b276990b5fa285a9
Link:
https://www.unpac.me/results/78393919-6ad0-42dc-ad94-921ef5c6f838/
SH256 hash:
0c7081e0e58dc4c306138f6287a984eee9ac748fb537394a6632688077857a09
MD5 hash:
f73e8ec3fae604ade68d648af421cc64
SHA1 hash:
6c9ff836d72150944a6b78f26b9e608170424cf4
Link:
https://www.unpac.me/results/78393919-6ad0-42dc-ad94-921ef5c6f838/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.63
Link:
https://yomi.yoroi.company/submissions/0c7081e0e58dc4c306138f6287a984eee9ac748fb537394a6632688077857a09

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 0c7081e0e58dc4c306138f6287a984eee9ac748fb537394a6632688077857a09

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/313813/

Comments