MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 104c501ae9645ce51507f20ce38690bb928cd4ce49fa769022aab6c894f0ca8e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 104c501ae9645ce51507f20ce38690bb928cd4ce49fa769022aab6c894f0ca8e
SHA3-384 hash: f98639de7052d8d21ef1dfb64848b2f3cd9619223ab068bd9528f600642b70cd000df5fc0c3d1b4c30ec60ea2617379c
SHA1 hash: 85401e54857a3559b45bc6a4331c485896cc7ffd
MD5 hash: 367b14ed63cc16ae5b19e5bcd41d2006
humanhash: carpet-ohio-fruit-summer
File name:Proof of payment.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:73'728 bytes
First seen:2021-01-14 20:12:15 UTC
Last seen:2021-01-14 21:35:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a468bb2dc3574e0bac04516976bc7905 (3 x GuLoader)
ssdeep 768:UIdAJPZZ8zYaFBm5U5XeEwvJrK2obPm+1NQ3git3rSLyNmra7ZqdOR:U5JhZeYaJpegrl1NQzxQwn
Threatray 4'535 similar samples on MalwareBazaar
TLSH EE73F9615A66DC65E6D28034FC123AF400132EA0F542FAFB60997E2D79F3BD055E2B1E
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: outbound.beonline247.co.za
Sending IP: 196.6.233.230
From: <krielsmith1@moorreesburg.net>
Reply-To: krielsmith1@moorreesburg.net
Subject: proof payment
Attachment: Proof of payment.img (contains "Proof of payment.exe")

GuLoader payload URL:
http://www.sowetoson.com/new/Host_yjwloaz52.bin

Intelligence

File Origin
# of uploads :
2
# of downloads :
247
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Proof of payment.exe
Verdict:
No threats detected
Analysis date:
2021-01-14 20:38:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6847f899-9e87-44ca-8662-c45747ad6b4f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/112091/
Detection(s):
PUA.Win.Adware.Popuper-6870622-0
Create hunting rule

PUA.Win.Adware.Popuper-6888135-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/581822
Signature
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/104c501ae9645ce51507f20ce38690bb928cd4ce49fa769022aab6c894f0ca8e/
Threat name:
Win32.Trojan.Razy
Create hunting rule
Status:
Malicious
First seen:
2021-01-14 13:57:09 UTC
AV detection:
9 of 46 (19.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cbgfagxjmrookfih6igohbuqxojizvgojh5hnebcvk3mrfhqzkha._file
Verdict:
unknown
Similar samples:
1fccab885b5fbfef621f85299c5c698965a415f96e1966ef278d9268cb5d921a
GuLoader
2b68ba16b8a44890c23fba68bccc1ef620ff3f12fd0d0fc2f7ffab92fcbde46e
GuLoader
37f99fd8cd0da50db89ff0b8fa05029e283aa5ac0cb8770dd17514dbf760f744
GuLoader
688ac9fd686d48bc6fec56f27e814c48d7849f548ef14d763dd446b61140c388
GuLoader
94a32b234e3acda70a26f78a56620a6aa7cf6dc21672766e38a75211e13108aa
GuLoader
96806ca7e35fc1840e35d756d2242c494fa734a81d76ceb8586fd10ef6548f39
GuLoader
9c2e8914a4d3511eaa2f69e6ab33c9ff7d760d4ebfb761b38ed56eed8fe32ddb
GuLoader
b32598815ea88a25f6459ae8b5035d0ed9c787d8fee5f124a24543c0550d9070
GuLoader
b33804d1bcadb3c28baad638d82f7510ab66451a5a602978dfa8f629e6bdca05
GuLoader
f473972f1bc6adb86928a21d4a7af08550aec0ca5c17056a95e830142a2e8f11
GuLoader
+ 4'525 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210114-l71ladtm7e/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
104c501ae9645ce51507f20ce38690bb928cd4ce49fa769022aab6c894f0ca8e
MD5 hash:
367b14ed63cc16ae5b19e5bcd41d2006
SHA1 hash:
85401e54857a3559b45bc6a4331c485896cc7ffd
Link:
https://www.unpac.me/results/7ba227e2-236c-46df-9af0-ca3465b061d8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/104c501ae9645ce51507f20ce38690bb928cd4ce49fa769022aab6c894f0ca8e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

img 35e3c6d0b042106a91e1e9cfaf362ef2fcd0801bb8d1f1b993ebfa34ac8357a2

GuLoader

Executable exe 104c501ae9645ce51507f20ce38690bb928cd4ce49fa769022aab6c894f0ca8e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/960944/
  
Dropped by
MD5 a7088a431d375bd211b9c63e55d8bad2
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/112091/
  
Dropped by
SHA256 35e3c6d0b042106a91e1e9cfaf362ef2fcd0801bb8d1f1b993ebfa34ac8357a2

Comments