MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20be0c183bcbe3cf8b803b2afa2a87fddd7ec2adc68666fa29eb15c77292a0b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 20be0c183bcbe3cf8b803b2afa2a87fddd7ec2adc68666fa29eb15c77292a0b9
SHA3-384 hash: b79ea536d7cd2dcd704104ba0ad5e2f47787f23acfc694257bdc5ce3daeb280ecd200dfe6480380f25e6a158940c1d77
SHA1 hash: ff094e341170643012da85d22ed827eef1caf620
MD5 hash: 0ec8358b6ad33555441df80aaf54024f
humanhash: green-pizza-bacon-utah
File name:Proforma_Invioce #00190.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:114'688 bytes
First seen:2020-05-27 12:48:11 UTC
Last seen:2020-05-27 14:13:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5089f9a440a3a480380dcacdf41fa5e4 (1 x GuLoader)
ssdeep 768:cLsWQwEGGxOonH7aJ5KTU5msGUNEYCNxRq1MvZS41bH3HBQvS5+CrCl9ltrvA1:UfL+a4YmsLWYC3XBl3eS5GW
Threatray 174 similar samples on MalwareBazaar
TLSH 7CB3F807B6D0AC72DE64CBB168BED6612D32AD223C206F077248BB5D39361CE65D2747
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: nj-homeimprovement-contractor.com
Sending IP: 45.137.22.117
From: Anwar Marcus <pdi@nj-homeimprovement-contractor.com>
Reply-To: Anwar Marcus <pdi@nj-homeimprovement-contractor.com>
Subject: Re: Confirm revised invoice to proceed with payment ASAP.
Attachment: Proforma_Invioce 00190.zip (contains "Proforma_Invioce #00190.exe")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=1dz8-iw3L5E1Shc2UNoT8S6v5bweh5N3j

Intelligence

File Origin
# of uploads :
2
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/5697/
Detection(s):
SecuriteInfo.com.Mal.FareitVB-AE.16842.27704.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2020-05-27 13:36:01 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
24 of 31 (77.42%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
1743a5e236fbc214c0199172ba07c57b9e171e9865603f9a6b114dfb9ce5c17c
GuLoader
1fc92ff3532cbd0ec4cae9bbda015ed847f7687758c22ccf59e362f47e6a35cd
GuLoader
3f494d2d90c284f08aedea05b57a4eff483d51efe3a7b5cf9ad26c13f2d7e546
GuLoader
4308487d53d3dc60b85e3aa3ed9753591d34c0ddba9ab1da7e0e9f6117535144
GuLoader
4876d264ad500b3dc254dec660891144c3118a6cc9a229c60d39ff20b584ec0a
GuLoader
8e7116f27e8c84422d2d5612765b45166a1a1144774a52e5107d74a7884e758f
GuLoader
b022be4adc35569368e23da7b344c4f9a4ce9efffaf1013d1fc778cb2b58f67f
GuLoader
ca9d9bba55a17ac5f0a879efb36f842d2068f0c9844fb8e1285156cfb720d740
GuLoader
fcaa4b93dbdb7ca43dab06e0afb63117ca21a864f7ccf6f6eb7a4581ded48464
GuLoader
fde7c52c166cd76fea454bbb539e7eba9ce704f5b442534bf5c4163213215426
GuLoader
+ 164 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-6lfmbvths2/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip 6a65a1c33c71f2a374ade0d5f420ab1264353234a75f28e48ab94562a4a1d56b

GuLoader

Executable exe 20be0c183bcbe3cf8b803b2afa2a87fddd7ec2adc68666fa29eb15c77292a0b9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/369891/
  
Dropped by
MD5 2a196eb58292f345c5500eb33ce68546
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 6a65a1c33c71f2a374ade0d5f420ab1264353234a75f28e48ab94562a4a1d56b
Cape
Cape
https://www.capesandbox.com/analysis/5697/

Comments