MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 128fa77a11cedbe782819f0d2e2666a04e4f8d2966a72f215c77b8933c914a47. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 128fa77a11cedbe782819f0d2e2666a04e4f8d2966a72f215c77b8933c914a47
SHA3-384 hash: 8e5b569749c14203faeb06ba92cf101a424d121ff888e1936cff43db0f29fdbe13b0c74aea4c08bce4e414d7a20c1261
SHA1 hash: db06ffb667569ab3b379012567c27919c36d885a
MD5 hash: 76b6c2b227dd2ae92bb3b86a66a8fe52
humanhash: oklahoma-hotel-jig-nuts
File name:Agreement Terms Sample.pdf.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:65'536 bytes
First seen:2021-01-13 20:07:08 UTC
Last seen:2021-01-13 21:59:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e4e19abc2b8b3cdf6beb846e51c393a2 (4 x GuLoader)
ssdeep 768:tdhWOzU3SN+0MX6x7Z4LNeLmKETN3rWCC0Kg:/hWSUCN+1Xc7ONeFIJ3Hp
Threatray 4'536 similar samples on MalwareBazaar
TLSH C753BE2CED49D59AD64A73F13125CA8463F35528A7E3CF03FE541C913CBEAC52B81299
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: core-hosting.eu
Sending IP: 5.253.179.29
From: Mr. Giuseppe Fazzina <g.fazzina@swisssteelgroup.com>
Subject: OUR PO#TA-LOC-20-0254
Attachment: Agreement Terms Sample.pdf.gz (contains "Agreement Terms Sample.pdf.exe")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=18g0x59dKntmW5wvsgrGhUW5SKboAY3zS

Intelligence

File Origin
# of uploads :
2
# of downloads :
236
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Agreement Terms & Sample.pdf.gz
Verdict:
Suspicious activity
Analysis date:
2021-01-13 10:25:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2ce62aeb-82a2-49a2-9715-5c322882961b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/111833/
Detection(s):
SecuriteInfo.com.FileRepMalware.24986.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/580592
Signature
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Found potential dummy code loops (likely to delay analysis)
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for submitted file
Potential time zone aware malware
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/128fa77a11cedbe782819f0d2e2666a04e4f8d2966a72f215c77b8933c914a47/
Threat name:
Win32.Trojan.Malrep
Create hunting rule
Status:
Suspicious
First seen:
2021-01-13 08:30:59 UTC
AV detection:
11 of 28 (39.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ckh2o6qrz3n6paubt4gs4jtgubhe7djjm2ts6ik4o64jgperjjdq._file
Verdict:
unknown
Similar samples:
28e01bffab6c9c78d2760e8a5d28ae229b9547930b5ff75c3f1a8d0f68701df2
GuLoader
74defd8809c3c66152c56c0f711d60e7110683784e42df2d80dcf3e30c412f6a
GuLoader
8f16e3a601a2ecbe08bb764289fc0766df7ca8e634f5490d905055be4f827364
GuLoader
9c2e8914a4d3511eaa2f69e6ab33c9ff7d760d4ebfb761b38ed56eed8fe32ddb
GuLoader
b8fb56d3c66d2b6280cf2be3fb58de14e9103989429d78861bd712479424c4f6
GuLoader
ba09c031c8345f685a7da248184f5bdec2007989bbaabe9f299b601c2734541d
GuLoader
bbe69e17d653a71131e0c9fd787429245db67bd8f432b279a85881b2b1cfbf77
GuLoader
be1d469e7f434641202ffde45e666cd4b1d255814f8cbf344a3aff1e78e86768
GuLoader
dd7268284b041dafef56b6a8a4b565b3a0c54e1eaacc68121a1688e03798e72d
GuLoader
ebc82e867e1280af5cb01ed64745b4a4e5fa48c2ea64557bbaeb7b391e852c2f
GuLoader
+ 4'526 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210113-e9thshyyc2/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
128fa77a11cedbe782819f0d2e2666a04e4f8d2966a72f215c77b8933c914a47
MD5 hash:
76b6c2b227dd2ae92bb3b86a66a8fe52
SHA1 hash:
db06ffb667569ab3b379012567c27919c36d885a
Link:
https://www.unpac.me/results/c254b953-916b-40bd-a540-8cd7f4bb6d36/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/128fa77a11cedbe782819f0d2e2666a04e4f8d2966a72f215c77b8933c914a47

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

gz 3c904ac3bf28ce0d3a00812647389bafd9374154bf2900b90f4181d56b3e4a2a

GuLoader

Executable exe 128fa77a11cedbe782819f0d2e2666a04e4f8d2966a72f215c77b8933c914a47

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/958862/
  
Dropped by
MD5 fa45dee651d5f0bdd3d7e04c108d3b19
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 3c904ac3bf28ce0d3a00812647389bafd9374154bf2900b90f4181d56b3e4a2a
Cape
Cape
https://www.capesandbox.com/analysis/111833/

Comments