MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 550830c3012af3f38e4b3a4fbd7c5f34762d1176d4618977a4e0c148bab08bd7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 550830c3012af3f38e4b3a4fbd7c5f34762d1176d4618977a4e0c148bab08bd7
SHA3-384 hash: 991300dcb1f178e00fd21edfd26044b3ad0207445f19584694ce395b9a29b4d98a5ec01b8930674f6ae59ef0935c3d2d
SHA1 hash: 348d0ec7b5d5957a41585f5f670f90282e6ce75e
MD5 hash: 2fd73e6bfea5941b83a7f88159f0e3ae
humanhash: maryland-bravo-lemon-nine
File name:JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:90'112 bytes
First seen:2021-01-11 08:18:06 UTC
Last seen:2021-01-11 11:51:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2a71f44ac1c823400003a5bea275b301 (4 x GuLoader)
ssdeep 768:OC1+flQrxF25W4Gw28WY7d/3uYBBQedgpiWLkdEKtOVJuBlSMM:tuI25JVWYB+YLQeKidE/WH2
Threatray 4'520 similar samples on MalwareBazaar
TLSH E093F6C4738AFF62F585057806F4E83F41A5A0A0EB96403777B6962DBB237D1291E31B
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: hole.com
Sending IP: 51.79.143.118
From: Nhung Do (Ms) <info.nhung@valentinozo.ga>
Subject: QUOTATION RFQ#38787-A
Attachment: JAN_QUOTATION_RFQ38787_A_Bich_Thien_Trading_Co_Ltd.arj (contains "JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe")

GuLoader payload URL:
https://onedrive.live.com/download?cid=A951308400164DD4&resid=A951308400164DD4%21106&authkey=APE43C5aWsOop18

Intelligence

File Origin
# of uploads :
3
# of downloads :
161
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
JAN_QUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exe
Verdict:
Suspicious activity
Analysis date:
2021-01-11 08:33:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fca69e3c-1670-488e-8d2d-37def0f0f876

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/111236/
Detection(s):
SecuriteInfo.com.generic.ml.7493.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/577701
Signature
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Found potential dummy code loops (likely to delay analysis)
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for submitted file
Potential time zone aware malware
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/550830c3012af3f38e4b3a4fbd7c5f34762d1176d4618977a4e0c148bab08bd7/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kuedbqybflz7hdslhjh327c7gr3c2elw2rqys55e4daurovqrplq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
08954829f50d1aade435fefd5e50e2aee86283ab378a54243892152eded51db8
GuLoader
1eb4f45e4e0f896a54ec9f0d5a0ee119d82c863dcb38843f4e7dd6d24790f4c5
GuLoader
1fccab885b5fbfef621f85299c5c698965a415f96e1966ef278d9268cb5d921a
GuLoader
2b68ba16b8a44890c23fba68bccc1ef620ff3f12fd0d0fc2f7ffab92fcbde46e
GuLoader
7b743eec66064abd181281fa1c0d614f856ee083d23348a10c9612765342ee67
GuLoader
94a32b234e3acda70a26f78a56620a6aa7cf6dc21672766e38a75211e13108aa
GuLoader
9c2e8914a4d3511eaa2f69e6ab33c9ff7d760d4ebfb761b38ed56eed8fe32ddb
GuLoader
b33804d1bcadb3c28baad638d82f7510ab66451a5a602978dfa8f629e6bdca05
GuLoader
d4d2c82cdc75f723e08d6139593a5a651e75e74b885acf480fe41c239d99e548
GuLoader
da84453f047b0c5e2a88e6ba46a11f390b4944f7c7f45563e19aef895c196e8e
GuLoader
+ 4'510 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210111-g5v3nse6n6/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
550830c3012af3f38e4b3a4fbd7c5f34762d1176d4618977a4e0c148bab08bd7
MD5 hash:
2fd73e6bfea5941b83a7f88159f0e3ae
SHA1 hash:
348d0ec7b5d5957a41585f5f670f90282e6ce75e
Link:
https://www.unpac.me/results/30c46aa1-2b71-40c1-aaef-de402477f43d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/550830c3012af3f38e4b3a4fbd7c5f34762d1176d4618977a4e0c148bab08bd7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

arj 14f4c8800634baa021417d2dd00661a044487d711140dead81bb5d359aa60fba

GuLoader

Executable exe 550830c3012af3f38e4b3a4fbd7c5f34762d1176d4618977a4e0c148bab08bd7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/952172/
  
Dropped by
MD5 ad49b4e8f455609d2053bbd5a7100b89
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/111236/
  
Dropped by
SHA256 14f4c8800634baa021417d2dd00661a044487d711140dead81bb5d359aa60fba

Comments