MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 692b099cb8eb863730179f28207ebf5579edd501a43c09fa3b9e177191840d27. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	692b099cb8eb863730179f28207ebf5579edd501a43c09fa3b9e177191840d27
SHA3-384 hash:	900f2c65f91a4e6a15e74c3309f34a7bcae24f62a5a63c33e9afd23424b4315a395c655464376d08c1a6dc7c858fc260
SHA1 hash:	712a5eb7aca4edeb444b719ff4b92e6ca3d8c8bf
MD5 hash:	d5be4e60538c82d25075e1f0944b58d1
humanhash:	double-ceiling-comet-yankee
File name:	consignment invoice.pdf.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	110'592 bytes
First seen:	2020-06-03 13:04:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ba7ffd4c2b2d67458d68b8fb6b4d000d (1 x GuLoader)
ssdeep	1536:Z/oSPfxV40ASHAinfkgrKHxLdGKc+o0FDHdZ1gIFGjkj3ndhkxtTly+Yk0RMU:Z/xPXIi/KVdhjFD9zBJj3dqbQRMU
Threatray	1'121 similar samples on MalwareBazaar
TLSH	05B37C03ED0D8553D1448BFD2E238E797B1DA90D4A406FEF35355EABAE322522CA711E
Reporter	abuse_ch
Tags:	exe GuLoader TNT

abuse_ch

Malspam distributing GuLoader:

HELO: sv1.f5solutions.ro
Sending IP: 185.84.65.209
From: TNT Shipment Notification <shipment@mail.tnt.com>
Subject: TNT Consignment Notification for 243740512
Attachment: consignment invoice.pdf.zip (contains "consignment invoice.pdf.exe")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=1O6GZ1u4wtgMZswhfhz3BvgGjax3zLBCA

Intelligence

File Origin

# of uploads :

1

# of downloads :

71

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/6270/

Detection(s):

Win.Dropper.NetWire-7996875-0

Win.Malware.Razy-7997182-0

Gathering data

Threat name:

Win32.Trojan.Vebzenpak

Status:

Malicious

First seen:

2020-06-03 13:46:28 UTC

File Type:

PE (Exe)

Extracted files:

6

AV detection:

22 of 31 (70.97%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=nevqthfy5oddomaxt4uca7v7kv463vibuq6at6r3tylxdemebutq._file

Verdict:

malicious

Label(s):

guloader

Similar samples:

1acd132956421229e7c8fabb1001381956ff135d042b339f2871763498896d9e

41c40f2da6eefedf43d955988e5a29fec18a14b024741209acfd7a225899a3e4

87f0608e17f3f39e988ac186a431366e1de35968b89943a03f6681e23ab5b684

897c29c75ae58e4057c0d32c3704469a7ecfa4878f5d0c60ad8abe2fa821b0b0

983a50787533f7fb48c7aeccfe0cc8ea3b16a76a39b22a1668ef800ed56556f6

9d545cae8b73e11800aaf794b2919bb8972511e4e217eaf1a51c3f38c17bb412

ad8132d2a341bf731c105eed4dea2357f5ab516c085550294593a2e41f34ebc4

bb2faadcbc0d7c66a84bb763e34cc811194f21a2222541a62fd1c0d9d3ce6c42

bc7549c1281f3ce45abcaad7408522374c97421e9031998b7959bd5e59b27a93

f3418e9ec01f4116a2ae079c709ee3c20455d66861951751474dbeb49ab75c26

+ 1'111 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-gnxdca5m4n/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip a99590957d7b3124e9804f84d6755edd4341f94952fbe8e2dfbc5df7d49d01e3

exe 692b099cb8eb863730179f28207ebf5579edd501a43c09fa3b9e177191840d27

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/375999/

Dropped by

MD5 64a51e26e593420dcfc0585d12810b12

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 a99590957d7b3124e9804f84d6755edd4341f94952fbe8e2dfbc5df7d49d01e3

Cape

Cape

https://www.capesandbox.com/analysis/6270/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample