MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c9344d3993bafbe60739644d0fae336276c4ffd835da89d44b58ef4d744eee0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1c9344d3993bafbe60739644d0fae336276c4ffd835da89d44b58ef4d744eee0
SHA3-384 hash: 076b05b7e8fe0403f8961d29fd72693afb7bd2ed740074d46ed3c2fac379b04daebf2e127eb88d109e625ac0e067a8dc
SHA1 hash: 6cda9cecf924e6e2fe967ed0ad0c1d189e41fb81
MD5 hash: 7f460fbf235c5e678b553edd2113d890
humanhash: papa-emma-batman-black
File name:RFQ-PR#20211201.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:90'112 bytes
First seen:2021-01-12 07:24:14 UTC
Last seen:2021-01-12 08:55:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2a71f44ac1c823400003a5bea275b301 (4 x GuLoader)
ssdeep 768:7UD0AyHMB8Q9+FAjnNGvM591DZH+vcLt/Wfu1FXpuIUQUzYRT:7JM9PEvy1HDh/MuPXIQCW
Threatray 695 similar samples on MalwareBazaar
TLSH FB93F8F47515EB61E62FAC717530E5258286B030BA12C52BB377AE3C49337E21984F9E
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: cceechina.com
Sending IP: 222.128.44.226
From: KH Wong<clc@cceechina.com>
Reply-To: <seema@cosnas.in>
Subject: URGENT RFQ-PR#20211201
Attachment: RFQ-PR20211201.arj (contains "RFQ-PR#20211201.exe")

GuLoader payload URL:
https://onedrive.live.com/download?cid=5D459187D4C37C0C&resid=5D459187D4C37C0C%21108&authkey=ACn5the3goJioQ0

Intelligence

File Origin
# of uploads :
2
# of downloads :
218
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ-PR#20211201.exe
Verdict:
No threats detected
Analysis date:
2021-01-12 08:05:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/802b122c-a849-4168-8017-a6049090390f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/111430/
Detection(s):
SecuriteInfo.com.Heur.PonyStealer.fm0@TOmqloci.21964.17677.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/578738
Signature
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Multi AV Scanner detection for submitted file
Potential time zone aware malware
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1c9344d3993bafbe60739644d0fae336276c4ffd835da89d44b58ef4d744eee0/
Threat name:
Win32.Infostealer.PonyStealer
Create hunting rule
Status:
Malicious
First seen:
2021-01-12 03:29:33 UTC
AV detection:
6 of 46 (13.04%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dsjuju4zhox34ydtszcnb6xdgytwyt75qno2rhkewwhpjv2e53qa._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
08361399bcfd6c87b301f7dd61be86d5eedf3013608d3cd98c818435bd43a724
GuLoader
20b3c1c5495ed7389cb63dfe6f990c7acd72edd8a6e385cbe698702647d44649
GuLoader
3ec48308cb3200731f34d1424d1724b17c1fb8b93af66b1597f7556ad335f5dd
GuLoader
4f6be4e4d79ceed809ddc6a51dd0acdd2e1eabd02253286f0230e0e1785a5586
GuLoader
550830c3012af3f38e4b3a4fbd7c5f34762d1176d4618977a4e0c148bab08bd7
GuLoader
77cd698dd8da0266aca9be3942b70558c060cbd5dca39450fbbab461f4b06b92
GuLoader
9e3ccccbdae5037867b30ec99ab71a8422ae9b0be42bf6b7ee0dddf07e4f03c0
GuLoader
b0db92be4f4c812dc5afd007d59f5f2c0288497bd002ae40f96ca7e6b6cb7b83
GuLoader
bb5e9e2aea9052040d072c9c9b161d2d5a88c50b049e5a505b016e80910256a0
GuLoader
f2b2f10c3c65d8f81641b20ebbf91ca7da5ba685282b24677a4c5561758f7226
GuLoader
+ 685 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210112-rtm2p6hnn6/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
1c9344d3993bafbe60739644d0fae336276c4ffd835da89d44b58ef4d744eee0
MD5 hash:
7f460fbf235c5e678b553edd2113d890
SHA1 hash:
6cda9cecf924e6e2fe967ed0ad0c1d189e41fb81
Link:
https://www.unpac.me/results/43c055cf-dc8c-413c-8423-800e8d8f5c3c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/1c9344d3993bafbe60739644d0fae336276c4ffd835da89d44b58ef4d744eee0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

arj 8c4932e3b30ec57ea574dd96226fc9bff7327b3d78a2e52d11d7b47619348e3d

GuLoader

Executable exe 1c9344d3993bafbe60739644d0fae336276c4ffd835da89d44b58ef4d744eee0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/954600/
  
Dropped by
MD5 b09eb54dee18e6d9145bcb13b781e26f
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 8c4932e3b30ec57ea574dd96226fc9bff7327b3d78a2e52d11d7b47619348e3d
Cape
Cape
https://www.capesandbox.com/analysis/111430/

Comments