MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e5007396123f9b1a018685b7cf2e42cc508b58ab216df305808f65408f21388. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0e5007396123f9b1a018685b7cf2e42cc508b58ab216df305808f65408f21388
SHA3-384 hash: eaa1c4f307276f0f0ed25daa80a6a0a6c61ee6a33c3aaa43f3949ab14f1863792ebe017492d3e8d5628cdc7cad47e4c2
SHA1 hash: 37e371f26a51c4f6d8977bfebc312c164c2a5735
MD5 hash: 198b59cdc034f2191632c922d7f899ca
humanhash: jig-sodium-river-moon
File name:PO.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:86'016 bytes
First seen:2020-08-05 08:30:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6d57a2066a14899d5d329f1129d874cc (5 x GuLoader)
ssdeep 768:raQS45mIEictcRkUtzZG1Fo4Vo0Y4F051G3+0XPPa:rVSJZictcRkURAFokonO3XPP
Threatray 600 similar samples on MalwareBazaar
TLSH C8832902B084E632F615C6B45B3951F7157ABC301656CF07A2487F2B3AFEE4E96A2353
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: alibcompositeltd.pw
Sending IP: 104.168.190.254
From: "ART IMPEX GROUP LLP" <info@alibcompositeltd.pw>
Subject: RE: New Purchase Order
Attachment: PO.zip (contains "PO.exe")

GuLoader payload URL:
http://anakleather.ir/chukwukaa_pYDreKwXV241.bin

Intelligence

File Origin
# of uploads :
1
# of downloads :
136
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/39210/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/410572
Signature
Hides threads from debuggers
Tries to detect Any.run
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 process2 2 Behavior Graph ID: 257552 Sample: PO.exe Startdate: 05/08/2020 Architecture: WINDOWS Score: 56 6 PO.exe 1 2->6         started        signatures3 14 Writes to foreign memory regions 6->14 16 Tries to detect Any.run 6->16 18 Tries to detect virtualization through RDTSC time measurements 6->18 20 Hides threads from debuggers 6->20 9 RegAsm.exe 1 6->9         started        process4 signatures5 22 Tries to detect virtualization through RDTSC time measurements 9->22 12 conhost.exe 9->12         started        process6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0e5007396123f9b1a018685b7cf2e42cc508b58ab216df305808f65408f21388/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-08-05 04:34:04 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bziaoolbep43diaynbnxz4xeftcqrnmkwiln6mcybd3fichscoea._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
10481c8ab9d363251e4d1aab4805df6d245621a5f10302fe5ed8cdd9f20bdc14
GuLoader
121ae52814e12a816b25602c6db7ae2a86af12b1b11e9c06874b9b03c3c81e98
GuLoader
1cd2e3b696656354859e0ffdb5bca866fadf42f59c9e2da1c228e0b52fa5f368
GuLoader
70da37182d8bd664853445333e0d7d594355e64287daf830ef307a1aae9f7e2a
GuLoader
8d88c99ff33ecbed42e4185b925f890a616aa0307a559d61595ab67dae6a1a09
GuLoader
ab8e874a1010d724e8008b46a262fdddcd8847c5bd5e43a62abe6e48ae324f71
GuLoader
b022be4adc35569368e23da7b344c4f9a4ce9efffaf1013d1fc778cb2b58f67f
GuLoader
c688c6b0f5bd44c8d37e810000892ce8d0e2225f1dd04a92d454fd60c7cdc779
GuLoader
cee8a845815daa1914a89033be9f89287fab6194e8b8b700ec058013d6fa8c54
GuLoader
ef8f03a25087eeab581d8439a0a19ba7148270d2210d479c1d6867fac69dc813
GuLoader
+ 590 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/200805-ynqpkn5jjn/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of SetWindowsHookEx
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0e5007396123f9b1a018685b7cf2e42cc508b58ab216df305808f65408f21388

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip b113e8f35553dbbbe42ffe8dafde4a136114ca4f7804f62be26d8a93cf277b01

GuLoader

Executable exe 0e5007396123f9b1a018685b7cf2e42cc508b58ab216df305808f65408f21388

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/424600/
  
Dropped by
MD5 1ffd906a163f7a9d8812a4abfaff3b8a
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 b113e8f35553dbbbe42ffe8dafde4a136114ca4f7804f62be26d8a93cf277b01
Cape
Cape
https://www.capesandbox.com/analysis/39210/

Comments