MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 642a0df15a9b8e3124d638e755f0bdbacd0d1c3ff01b59b36213a190a5e5645a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 642a0df15a9b8e3124d638e755f0bdbacd0d1c3ff01b59b36213a190a5e5645a
SHA3-384 hash: 94a35ba8131fe5528b06923f04f5c00c05050ad2a25544a5ed05604e6c83af603773ed8c920a9e8c68477e99323b006e
SHA1 hash: 82a22cb59d46bae21fa4877015e163eacc04a022
MD5 hash: c8feb9d53b567cd1bfb0e59cf7d26bc2
humanhash: social-mobile-twelve-emma
File name:c8feb9d53b567cd1bfb0e59cf7d26bc2.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:118'784 bytes
First seen:2021-07-20 13:17:59 UTC
Last seen:2021-07-23 13:18:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5c4d602843f54570889588b32f7af650 (1 x GuLoader)
ssdeep 1536:/bjX1R6rHR+Gz6YsFdVfKcLe0NMDfuoFVHYGokXYtvcOOfgrJZ+R6rHJXdb:jjX1yH1HErzwmoFtoZtkJgrCyHJXd
Threatray 11 similar samples on MalwareBazaar
TLSH T1F3C3BF38E2987B2FD2B7DE7643E80BA388C18C956A50CB3EA7B6D25565235C07F35170
Reporter abuse_ch
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
3
# of downloads :
244
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Order Request for Quotation.xlsx
Verdict:
Malicious activity
Analysis date:
2021-07-20 11:59:46 UTC
Tags:
encrypted exploit CVE-2017-11882
Link:
https://app.any.run/tasks/c26ed108-dc3c-4426-83f6-ce8751774291

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172838/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.5294.22177.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ac88bdb9-4dc9-4ab8-8ae4-58ce0411a114
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spre.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/818970
Signature
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
GuLoader behavior detected
Hides threads from debuggers
Installs a global keyboard hook
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: RegAsm connects to smtp port
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/642a0df15a9b8e3124d638e755f0bdbacd0d1c3ff01b59b36213a190a5e5645a/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2021-07-20 13:18:16 UTC
AV detection:
10 of 27 (37.04%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mqva34k2tohdcjgwhdtvl4f5xlgq2hb76anvtm3ccoqzbjpfmrna._file
Verdict:
unknown
Similar samples:
1942767aa808c15413e31d945174cdea44f4eeed5da3d5831aff879c90eb7609
GuLoader
464e32b273ff94e18247402fec1445dceb07fe8ea16490038fa64b9a23672cf0
GuLoader
7c7f5cb3a4abac7fd494817a20e4c8d52d6fa4951fa864836e8d3cdcbbff4841
GuLoader
984edc19e8360156fc45d04a3ac3c1fb84b5967b449516ffa65be58c5bcee07d
GuLoader
a7187cba00f1ecf7d0ce8758c9376610eb513869152e7b4bd28e711f6b440053
GuLoader
c7095f2c5ed61c9d667c69aba9d9bc5b87b93f7fad5f49b1d5c66c4eb11b745e
GuLoader
df0ae29a5d084946d08e3703509599ade012396c14b9b591c78a077dc065b000
GuLoader
eb5b36b887116b5aa12cb5609d9d2e132829e325b2c3e16133299696460a0e92
GuLoader
fbeb6fc678c983a023b892e0683af51a063ade164a64ae719c07241c3d5d15f1
GuLoader
+ 1 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/210720-4mf3hke7rx/
Behaviour
Suspicious use of SetWindowsHookEx
Guloader,Cloudeye
Unpacked files
SH256 hash:
642a0df15a9b8e3124d638e755f0bdbacd0d1c3ff01b59b36213a190a5e5645a
MD5 hash:
c8feb9d53b567cd1bfb0e59cf7d26bc2
SHA1 hash:
82a22cb59d46bae21fa4877015e163eacc04a022
Link:
https://www.unpac.me/results/c7df3460-f837-4bec-b2fe-4aa041a703e3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/642a0df15a9b8e3124d638e755f0bdbacd0d1c3ff01b59b36213a190a5e5645a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe 642a0df15a9b8e3124d638e755f0bdbacd0d1c3ff01b59b36213a190a5e5645a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1468585/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/172838/
  
URLhaus
https://urlhaus.abuse.ch/url/1468687/

Comments