MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26d95099636e212fccb35c4865a6aaee393079698b6c3a6f0a07ef2960a845b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 26d95099636e212fccb35c4865a6aaee393079698b6c3a6f0a07ef2960a845b0
SHA3-384 hash: fd5dc4bbac3aa44bb53e7e1db846212cea567a5e96e6e4b36846c8fec98ec39dd543c1fcee89390351233933423363dd
SHA1 hash: 395fa0b527c1fddd0d6fd63480feb3b66d68f1b1
MD5 hash: 01199a22f6dcbcb3332388b2c7832784
humanhash: double-vermont-papa-winner
File name:Pictures,Images.scr
Download: download sample
Signature GuLoader
Create hunting rule
File size:102'400 bytes
First seen:2020-08-04 13:33:53 UTC
Last seen:2020-08-04 15:22:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 83607e441ce971123637f10227afb414 (1 x GuLoader)
ssdeep 768:Z+FjTlMlWRZ/9doZJ5HIanR5cwbrdenAuSJaay6gTCiOSJuraZ2P/dt7sk2mj:ZMnG+YJOgmtnvGaaq+cJureMuk2m
Threatray 5'225 similar samples on MalwareBazaar
TLSH 64A3D61691E84635F277DFB15D7846E7413D7C38392E858B5EF838AF33B2A098620627
Reporter abuse_ch
Tags:GuLoader scr


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: vps.hond-red.xyz
Sending IP: 45.95.169.93
From: info@hond-red.xyz
Reply-To: info@hond-red.xyz
Subject: About the Shipments
Attachment: Items Lists.img (contains "Pictures,Images.scr")

GuLoader payload URL:
http://seedwellresources.xyz/bin_dXCUEN226.bin

Intelligence

File Origin
# of uploads :
2
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/38732/
Detection(s):
SecuriteInfo.com.Variant.Graftor.808153.11490.12625.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/409500
Signature
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/26d95099636e212fccb35c4865a6aaee393079698b6c3a6f0a07ef2960a845b0/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2020-08-04 13:35:08 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=e3mvbgldnyqs7tftlregljvk5y4ta6ljrnwdu3yka7xssyfiiwya._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
03d585ea89f4e62bc18d42d1fadad0b02faca6d68c831e79fb542e9efd183f7a
GuLoader
330cc7a94a8d40b4588313605d103e425e9a2530bf19e32b6cd61a786a6b8c04
GuLoader
3e98d7f59e495ddfa5140a50f70347bb4a56296ca2dcb6602f65ebb4e4a0373b
GuLoader
5b8bcca6874eb87a0653adc3137d69a11c33c64a0087ad63646f39111ac2e62c
GuLoader
5ea463243b051351c219469515fb9b39d01c5c3c4f4698bd6164e36070622d35
GuLoader
77168234eb706333e4835666a00a8fd8e110959660c97e5c5528ed3a3d0f5081
GuLoader
c2fad0ca69171eabf05cff3020af18e45b34558b660e5197bdb4c0c072c9cdde
GuLoader
e6bdca558fb485e6ac7295d20f868902f2b790bc147fb3ab1e3a6628280d40f3
GuLoader
f1c80232eaed26af259c818427b444f12057b9329804da8ded13ec9fd20d3413
GuLoader
f80c8e9d0e8ed0ffa6b7d8620a0eb890deb7c9dc84dca3198b3d2625bf5d1099
GuLoader
+ 5'215 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/200804-eg2lrcafhs/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of SetWindowsHookEx
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Cryptor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/26d95099636e212fccb35c4865a6aaee393079698b6c3a6f0a07ef2960a845b0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img 3563536800dab756dd324f05095839cba53ba56056e96abb1be1fc34dcdc95d2

GuLoader

Executable exe 26d95099636e212fccb35c4865a6aaee393079698b6c3a6f0a07ef2960a845b0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/424303/
  
Dropped by
MD5 a6a5fb28077b42555cf91badfa534150
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/38732/
  
Dropped by
SHA256 3563536800dab756dd324f05095839cba53ba56056e96abb1be1fc34dcdc95d2

Comments