MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1863e435245868f11b1ceb51fcecdc469caf817f754c3272139dffc2d81c4667. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1863e435245868f11b1ceb51fcecdc469caf817f754c3272139dffc2d81c4667
SHA3-384 hash: 0bf1d5e4c31796105ecec40ec0445b1547a8c716aaf6018013f0809bce14cd8b3be5cf08e7d87fb535dc1b60b6dd09e4
SHA1 hash: dbec9775b71afea80e557f59435e52b1a8382498
MD5 hash: bd2b34f99cbf20a7e48b2bf199c7e707
humanhash: freddie-earth-purple-green
File name:Prepayment invoice 5408.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:204'800 bytes
First seen:2020-10-26 15:50:22 UTC
Last seen:2020-10-28 01:17:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 76c18f607f92991b7df6dde6c973632a (2 x GuLoader)
ssdeep 1536:2GhB+UlPkbFx1ZjhGIBOrPaOYdSkjiRNqOP3e:NIx71hEbaFSkjiRrPu
Threatray 329 similar samples on MalwareBazaar
TLSH 1814CC7190F26BC9E8A68FF29EA0E689FFE70C509941461ED1A439F71133B84C6451FE
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: cipla.com
Sending IP: 103.141.138.127
From: Heikki Timonen <rutuja.shinde@cipla.com>
Reply-To: Heikki Timonen <011teknew@gmail.com>
Subject: Prepayment invoice 5408 for your order ANNEX-No. 6 (50% advance)
Attachment: Prepayment invoice 5408.zip (contains "Prepayment invoice 5408.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
175
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/79360/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Result
Threat name:
AgentTesla GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/512264
Signature
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Executable has a suspicious name (potential lure to open the executable)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Modifies the hosts file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AgentTesla
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 305300 Sample: Prepayment invoice 5408.exe Startdate: 26/10/2020 Architecture: WINDOWS Score: 100 37 Multi AV Scanner detection for submitted file 2->37 39 Yara detected GuLoader 2->39 41 Yara detected AgentTesla 2->41 43 5 other signatures 2->43 7 Prepayment invoice 5408.exe 2->7         started        10 LFSRb.exe 2 2->10         started        12 LFSRb.exe 1 2->12         started        process3 signatures4 45 Tries to detect Any.run 7->45 47 Hides threads from debuggers 7->47 14 RegAsm.exe 7->14         started        17 RegAsm.exe 2 11 7->17         started        21 RegAsm.exe 7->21         started        23 RegAsm.exe 7->23         started        25 conhost.exe 10->25         started        27 conhost.exe 12->27         started        process5 dnsIp6 49 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->49 51 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 14->51 53 Contains functionality to detect hardware virtualization (CPUID execution measurement) 14->53 63 2 other signatures 14->63 33 googlehosted.l.googleusercontent.com 172.217.168.1, 443, 49749 GOOGLEUS United States 17->33 35 doc-0g-b8-docs.googleusercontent.com 17->35 31 C:\Users\user\AppData\Roaming\...\LFSRb.exe, PE32 17->31 dropped 55 Modifies the hosts file 17->55 57 Tries to detect Any.run 17->57 59 Hides threads from debuggers 17->59 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->61 29 conhost.exe 17->29         started        file7 signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1863e435245868f11b1ceb51fcecdc469caf817f754c3272139dffc2d81c4667/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2020-10-26 09:46:59 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dbr6injelbupcgy45ni7z3g4i2ok7al7ovgde4qttx74fwa4iztq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
01cbd7ffa69b802c48571c9643d525c525493463b592a79336ee6757e9d54aa2
GuLoader
0951d8c7c31922177bfac1849388cf7e947d6e51ccbf936c7edd1e6d7c44da9d
GuLoader
0cf9ce17aeee086bf3085133f76a2ec2856900ac84a5dc017bbd0f4d46bbb40f
GuLoader
53891fe5d9e2ae2f182407272fd849ddab52f577adbd7b127a3b042cf560b714
GuLoader
59fa3af71958cd38baf920669e982c36378319c61006d360a8db9de50a75f5b7
GuLoader
6ddb553adbe57cb5a08a5469aaa1a8f1b8e53a34e0b0c9535684d14cf3eb4ea6
GuLoader
71ba6b649b4ea43c7139f5d429d2ec449f129fdc588c103546d5970a6db33103
GuLoader
99b13841abbf0c2bf736ab08e0e7f48cd28cab2e69eff60399de65e0eced2e68
GuLoader
ecf2d6637db61f16f9b10b5162986564741b5e5c5e9084d6a38fa61c9c7ea953
GuLoader
f6acfb0076b3a4e817b12f1f4e91eb89dbeeee1bca29d591949b73dfb604ef68
GuLoader
+ 319 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201026-hbsgyf3s3n/
Behaviour
Suspicious use of SetWindowsHookEx
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip cb4ba50352ef373fab1d8f237bed69701340d8efddc48b0afe6bc981ae3511fb

GuLoader

Executable exe 1863e435245868f11b1ceb51fcecdc469caf817f754c3272139dffc2d81c4667

(this sample)

  
Dropped by
MD5 9beeb74941dd7c9f8a4c1ce272f87af8
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 cb4ba50352ef373fab1d8f237bed69701340d8efddc48b0afe6bc981ae3511fb
Cape
Cape
https://www.capesandbox.com/analysis/79360/

Comments