MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1bbb7a110f15909ed9997e96ecb3f5322fb50eacc9b63670f7897ebfb62d8f91. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1bbb7a110f15909ed9997e96ecb3f5322fb50eacc9b63670f7897ebfb62d8f91
SHA3-384 hash: c1076218f586d54044d2952eda997b65b63a05c96737a846eaa6725eaadc80d7dd7ef67fb530f2f24333fcafaaa4f474
SHA1 hash: 3bf41969d7f3f3771c5513e35b9a2d3539e2e622
MD5 hash: a9a633957222953cb7423eadfdd19725
humanhash: three-december-alabama-edward
File name:DHL Shipping Documents_jpg.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:90'112 bytes
First seen:2020-08-10 12:49:43 UTC
Last seen:2020-08-10 14:03:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 377ea45d19398a548366f08b9df6f024 (1 x GuLoader)
ssdeep 768:EUg0AnJabZdJ9mFpvtBN43//jjwgQwhCVdX+CBdcot+0:a1nojm3u3//jjM7VdX+C7cot+
Threatray 43 similar samples on MalwareBazaar
TLSH 3C934B42A589FA32F218CAB51D3916F784BEBC3469834E4B38487F1B3672E17D45631B
Reporter abuse_ch
Tags:DHL exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: mta0.bosum-mould.com
Sending IP: 104.168.220.7
From: DHL EXPRESS <info@bosum-mould.com>
Reply-To: paulas@sigrnfg.com
Subject: Original Shipping Documents Commercial Invoice ,B/L
Attachment: DHL Shipping Documents_jpg.rar (contains "DHL Shipping Documents_jpg.exe")

GuLoader payload URL:
https://onedrive.live.com/download?cid=8E778D4A23C91A07&resid=8E778D4A23C91A07%21254&authkey=AMd_OEsUIxZ4dRE

Intelligence

File Origin
# of uploads :
2
# of downloads :
135
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/42771/
Detection(s):
SecuriteInfo.com.Generic.mg.a9a633957222953c.3166.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/416921
Signature
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1bbb7a110f15909ed9997e96ecb3f5322fb50eacc9b63670f7897ebfb62d8f91/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2020-08-10 12:51:09 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=do5xueipcwij5wmzp2lozm7vgix3kdvmzg3dm4hxrf7l7nrnr6iq._file
Verdict:
malicious
Similar samples:
0de340a2a9794b550122c8fa1ec237c8d10d1b17473f93313394de1be0906d35
GuLoader
1d67a78a85100f6be1da61ddf1b8945d5e3c114a61e8ac505e7a18653633c1d2
GuLoader
3d2d12103e20f7d20f54c3cab60a66d6e7deee7db68a2c2f1d396a710554451e
GuLoader
545bc37874b09c18f4fcef578eb3f9f3d47673255bbc32bc41986fc4e71f896f
GuLoader
6617979630def30c8a103baceedd1ddb972a53b984de91682aa93451faf833bb
GuLoader
8ce05a475d373e53e20a6e354cb258a121f737cb8b37192b0567f958b2dce822
GuLoader
a465bb38250994671f200d8c66cfc0718354bc8974713ba6f9f3eb15a4acec7d
GuLoader
d4f0402b38120943d5be040787f21af3df579a004b7eaece439656b3b4f44b6a
GuLoader
ddf6f04276c1d976e62e199e6c928fb7a3d7aaec455a1859f8d8f605c89ffc64
GuLoader
e6bdca558fb485e6ac7295d20f868902f2b790bc147fb3ab1e3a6628280d40f3
GuLoader
+ 33 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/200810-jxxp7zf7f6/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of SetWindowsHookEx
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.10
Link:
https://yomi.yoroi.company/submissions/1bbb7a110f15909ed9997e96ecb3f5322fb50eacc9b63670f7897ebfb62d8f91

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

rar c85a5064c40c7125ea5dcdc5b5bda1974fc410a11533e09b88ace25a6ee5b3a2

GuLoader

Executable exe 1bbb7a110f15909ed9997e96ecb3f5322fb50eacc9b63670f7897ebfb62d8f91

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/428298/
  
Dropped by
MD5 222247ccf299eab836e27b32254de26a
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 c85a5064c40c7125ea5dcdc5b5bda1974fc410a11533e09b88ace25a6ee5b3a2
Cape
Cape
https://www.capesandbox.com/analysis/42771/

Comments