MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21afff77ea0ce89dca2d925ed0d8b5a61f7ab42ca9aca78019843e9e251bbcb3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 21afff77ea0ce89dca2d925ed0d8b5a61f7ab42ca9aca78019843e9e251bbcb3
SHA3-384 hash: 71bbc94e6db1b13b7c5927cef468169a63b8ca743718c3205b642d8943741d0a7e92f8cb73948e9e699838fc3df76daa
SHA1 hash: a7838df5f7c9ff634e5f14f5214050ebfe83930f
MD5 hash: 88082512c0e181dad2f506893c40657b
humanhash: muppet-december-three-aspen
File name:i_Remittance.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:61'440 bytes
First seen:2020-12-03 17:41:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 277010f73b829299387a797a681d7e8c (3 x GuLoader)
ssdeep 384:2YlbXDIEvUNEqbBKV6HDlSAxrZ7haSeVnFEEfJkbCmCTQgogpkgQwX/P:2OzLYBMVqz74Z1FQ+mNd5U
Threatray 4'593 similar samples on MalwareBazaar
TLSH 38530A03F6438866E4C345B35F7397A841933D75AE426903A9A87A4DF932DC1BC6DB0B
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: server.jayaproperty.com
Sending IP: 119.235.255.130
From: Vale <sales@horeco.com>
Subject: Payment Remittance Advice.
Attachment: i_Remittance.iso (contains "i_Remittance.exe")

GuLoader payload URL:
https://mindforcehypnosis.com/fas/decemberomo_FkoIc77.bin

Intelligence

File Origin
# of uploads :
1
# of downloads :
344
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/106655/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Nanocore GuLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/554990
Signature
Detected Nanocore Rat
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Potential malicious icon found
Sigma detected: NanoCore
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 326593 Sample: i_Remittance.exe Startdate: 03/12/2020 Architecture: WINDOWS Score: 100 28 g.msn.com 2->28 44 Multi AV Scanner detection for domain / URL 2->44 46 Potential malicious icon found 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 6 other signatures 2->50 8 i_Remittance.exe 2->8         started        11 filename1.exe 2->11         started        13 filename1.exe 2->13         started        signatures3 process4 signatures5 52 Writes to foreign memory regions 8->52 54 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 8->54 56 Tries to detect Any.run 8->56 58 Hides threads from debuggers 8->58 15 RegAsm.exe 1 21 8->15         started        20 RegAsm.exe 8->20         started        60 Tries to detect virtualization through RDTSC time measurements 11->60 process6 dnsIp7 30 decemberomo.duckdns.org 185.19.85.133, 49748, 6700 DATAWIRE-ASCH Switzerland 15->30 32 mindforcehypnosis.com 67.23.254.42, 443, 49747 DIMENOCUS United States 15->32 34 192.168.2.1 unknown unknown 15->34 24 C:\Users\user\subfolder1\filename1.exe, PE32 15->24 dropped 26 C:\Users\user\AppData\Roaming\...\run.dat, International 15->26 dropped 36 Tries to detect Any.run 15->36 38 Hides threads from debuggers 15->38 40 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->40 22 conhost.exe 15->22         started        42 Tries to detect virtualization through RDTSC time measurements 20->42 file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/21afff77ea0ce89dca2d925ed0d8b5a61f7ab42ca9aca78019843e9e251bbcb3/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2020-12-03 17:42:07 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=egx7657kbtuj3srnsjpnbwfvuypxvnbmvgwkpaazqq7j4ji3xszq._file
Verdict:
suspicious
Similar samples:
0074b4e19d6ad55ab6573d7522ead0f75a84b866611cc8133d08b5800e3bb32a
GuLoader
17314d9e48839344dafc7dbdb9af89ad08603a106fb09eda8f74af42dd8a8252
GuLoader
182b2d026edb387534dda66711ee6f9050bc8ed871d0ebb71a96f0b18498ba24
GuLoader
2f3135503ed9fb4ed106c98a51770d1ac8824631c02af922d763538a66d32e84
GuLoader
5278046daacc4237354be9a2b1094f6a9467e317b17c959c772ed5a86e25d737
GuLoader
6d0ea7f49d0cfc2e0ee87a860e99381955f73e0b70a294281c213bb9d3e91822
GuLoader
7c38d073b77ff7afc8f65aac812316d0fa9356115f1f3e78aca9fd496d177cad
GuLoader
81f7c328aef1d0b652a4e7b4157b34f2b462ace5c2f2483350b1a5e156ce8adb
GuLoader
9b56be4b90db19fb53dacfc6a255dd3acddd5a72e4083c85091fc4ad1482769c
GuLoader
b8709a0d94df64f37f997373ca3686aa4071ce1da9a407bcfee2fdb0ce9d096c
GuLoader
+ 4'583 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201203-saj98mt5p6/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
21afff77ea0ce89dca2d925ed0d8b5a61f7ab42ca9aca78019843e9e251bbcb3
MD5 hash:
88082512c0e181dad2f506893c40657b
SHA1 hash:
a7838df5f7c9ff634e5f14f5214050ebfe83930f
Link:
https://www.unpac.me/results/6fbff0d0-4497-4cdf-8dc6-7b751b824682/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/21afff77ea0c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/21afff77ea0ce89dca2d925ed0d8b5a61f7ab42ca9aca78019843e9e251bbcb3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

iso bb27a7872b661f94c0a1ffb825700131c93d3abb1b55d62a4550f392f28b3fba

GuLoader

Executable exe 21afff77ea0ce89dca2d925ed0d8b5a61f7ab42ca9aca78019843e9e251bbcb3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/886247/
  
Dropped by
MD5 5e936a85e4808ede89cc9f10d3782d12
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/106655/
  
Dropped by
SHA256 bb27a7872b661f94c0a1ffb825700131c93d3abb1b55d62a4550f392f28b3fba

Comments