MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f865ea5da07ebc805df7ea205e25e14271b0a475b278846c33f3733c4723a7e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0f865ea5da07ebc805df7ea205e25e14271b0a475b278846c33f3733c4723a7e
SHA3-384 hash: fa3457fb5bbd9059ec0d39b225a8e40854a83ae3ad5b08d4e319487dade1057b683d9bdbc4c6cde2ff5cf0ed8abedb26
SHA1 hash: 531c509fc13e59479f980ec2b2bfa7f20959e618
MD5 hash: 81be4ef4055799704efb59a568bbc549
humanhash: mirror-papa-seventeen-artist
File name:TENDER-REQUEST(03-9202 87004)_SOLARTRON.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:90'112 bytes
First seen:2020-11-06 17:33:24 UTC
Last seen:2020-11-06 19:39:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f68756dc2833873b5ac05b0e38772df2 (6 x GuLoader)
ssdeep 1536:IPC9LtJBquIPq6Vzv/QhBhBDFk/zHC9La:t9TOC6V7/Q33GLi9
Threatray 883 similar samples on MalwareBazaar
TLSH BE936D3DB764C456C2218E781C255B2C4E82B5B9F0343B53F5CC098A2EFD26D6A939B5
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: mail.solartron.co.th
Sending IP: 103.55.1.244
From: Solartron - Wuttigrai <wuttigrai_k@solartron.co.th>
Reply-To: Solartron - Wuttigrai <wuttigrai_k-solartron.co.th@mail.com>
Subject: ENQUIRY / TENDER - EARTHING SYSTEM & SOLAR SYSTEM
Attachment: TENDER-REQUEST03-9202 87004_SOLARTRON.rar (contains "TENDER-REQUEST(03-9202 87004)_SOLARTRON.exe")

GuLoader payload URL:
https://redesuperpops.com.br/spike/kayype_yiVRxMUa36.bin

Intelligence

File Origin
# of uploads :
2
# of downloads :
233
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Trojan.mt.9277.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/523502
Signature
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0f865ea5da07ebc805df7ea205e25e14271b0a475b278846c33f3733c4723a7e/
Threat name:
Win32.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-11-06 12:12:02 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=b6df5jo2a7v4qbo7p2ralys6cqtrwcshlmtyqrwdh43thrdshj7a._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
2b2166f900572c98775661fd3905d86451e7470c2e548fe234f20f2069c93331
GuLoader
485c73fe0877faf279ffb3673fdad3d2b2c3297e5003a09120b4ccc4d08d02d6
GuLoader
4b22d02a6db2e8116b50ce020b54380558f73833802f5a878f18560c30a7d8dd
GuLoader
8780cfbde0db4996b68e320d9d2576f39a2d7f99a8ed60ba0c4e543f17801bd9
GuLoader
9666c06b6da42bc3cc7ae265a46cd4d137c74a1be711151efe9a44c31a894a78
GuLoader
9e56b9c890057c4adac0a54f64720736438dcc1ba3cce009c7b510fea603f2e1
GuLoader
9ebbeaf380d12e97972f57de2e052f1e043370d0be0bcd0deb3ebc5334cc68a2
GuLoader
c2fdcd6737639defbb98a8cb6d0799f59644599d77b0d8bb231a64dfba2a26db
GuLoader
e031beb4c230faf0d895f0d40e5063d56c41d11cf6208a531a35176cd76e3a41
GuLoader
f1ffd3c13b7bd7f498e8b718d46509a14bf571c5783d4281adcfafe13291e1fd
GuLoader
+ 873 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201106-8qrrgm8s8j/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
0f865ea5da07ebc805df7ea205e25e14271b0a475b278846c33f3733c4723a7e
MD5 hash:
81be4ef4055799704efb59a568bbc549
SHA1 hash:
531c509fc13e59479f980ec2b2bfa7f20959e618
Link:
https://www.unpac.me/results/b4d08ea1-3ce5-4660-b63e-e37e7cb24815/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

rar 8249a4a280c71755af50db7b5a137b15fc8ec6c1176a121578d5f36fd6d2e0b5

GuLoader

Executable exe 0f865ea5da07ebc805df7ea205e25e14271b0a475b278846c33f3733c4723a7e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/755130/
  
Dropped by
MD5 3cca795b09666394ed7bbc1502a92959
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 8249a4a280c71755af50db7b5a137b15fc8ec6c1176a121578d5f36fd6d2e0b5

Comments