MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6af9918a37bfd94d85920a17316ac90ca849903bd881f62245b6bc16bca8d33c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6af9918a37bfd94d85920a17316ac90ca849903bd881f62245b6bc16bca8d33c
SHA3-384 hash: f51a7a78f985a34f2bc40e434f9bfc122de1c105a832eff466a9d03585f79271b6906be68da92f4b4152cc15e66f8b5d
SHA1 hash: 44ce087751aa8618453226a308d3732283ca3b65
MD5 hash: 5d63bcb90ebdf1a247a04775362b4e64
humanhash: mountain-mountain-sink-ohio
File name:19287_Invoice_confirmation.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:90'112 bytes
First seen:2021-01-08 19:05:02 UTC
Last seen:2021-01-08 20:28:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 690ed9eee3aab240a93936dee17050b4 (6 x GuLoader)
ssdeep 768:oJOq2qP00sisCDa+7xPO06yTnLzBM6VncY/dKeJX6YsGDqdY3EyPPtITWXi6N1Zh:C2X7ePXZM6ldKeJAePjS6LZFrak/rt
Threatray 841 similar samples on MalwareBazaar
TLSH B493D67EF290FB72D24A80F05A147EB90358A8312A399B43D2C5671A377C9FED624747
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: parfum-bhs.ru
Sending IP: 84.42.40.54
From: Jerry David <nataly1@parfum-bhs.ru>
Subject: Payment Confirmation..
Attachment: 19287_Invoice_confirmation.iso (contains "19287_Invoice_confirmation.exe")

GuLoader payload URL:
https://newsnowextra.com/jk/janomo_AmXgUkgKck57.bin

Intelligence

File Origin
# of uploads :
2
# of downloads :
374
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
19287_Invoice_confirmation.exe
Verdict:
No threats detected
Analysis date:
2021-01-08 19:14:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7ce12a87-4bc8-4c8a-b967-8b97d59ad420

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Guloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/111077/
Detection(s):
SecuriteInfo.com.Generic.mg.5d63bcb90ebdf1a2.18927.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/577098
Signature
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Potential malicious icon found
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6af9918a37bfd94d85920a17316ac90ca849903bd881f62245b6bc16bca8d33c/
Threat name:
Win32.Downloader.GuloaderCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-01-08 19:05:09 UTC
AV detection:
13 of 28 (46.43%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nl4zdcrxx7mu3bmsbiltc2wjbsueteb33ca7misfw26bnpfi2m6a._file
Verdict:
suspicious
Similar samples:
02553b25344fd73b18ed90ab5fc8e9c11100734b429e90a0527cbc1aed79e6bd
GuLoader
0940b9701bebcf58004ba4089e5d0d6ebbf882da6fce307f24b254f243063439
GuLoader
305a2d609d4d34967a53c2f44b9c48acd3e683ac3be396bdb359ba0398da7a75
GuLoader
4290d442e13dea4987b3439a97deabd09dc72d8b38fff572ea287d1c4e9b71bd
GuLoader
5d55ad4b75f1106d59cc53b92d90c8f343c5d893c774d436f44ae5508714f443
GuLoader
7b71b12d30d6ce6adb82e9f8c105c1f1cc36ed8744b0c21cfa8aa08d21119f08
GuLoader
91a75290effdceda2b1b0a8c2a16db9e172f406ae6ecce19539b0bdc5656613f
GuLoader
a8f3dde862d7e81876c11ee41a7d5c6594e72e67d12496461157c56e24c10a35
GuLoader
ebc82e867e1280af5cb01ed64745b4a4e5fa48c2ea64557bbaeb7b391e852c2f
GuLoader
f67020d5de462a963aeeaae1afe2bba3ba629da38a85a035a9389c454a402d0a
GuLoader
+ 831 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210108-xhyx76k7vs/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
6af9918a37bfd94d85920a17316ac90ca849903bd881f62245b6bc16bca8d33c
MD5 hash:
5d63bcb90ebdf1a247a04775362b4e64
SHA1 hash:
44ce087751aa8618453226a308d3732283ca3b65
Link:
https://www.unpac.me/results/c4cd13fa-1df3-4dcf-afe7-80d694877b8f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/6af9918a37bfd94d85920a17316ac90ca849903bd881f62245b6bc16bca8d33c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

iso 0da798fa2f61568547a3d9d4a8ce1197972a82720351d3efea816477d9e2f77d

GuLoader

Executable exe 6af9918a37bfd94d85920a17316ac90ca849903bd881f62245b6bc16bca8d33c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/951160/
  
Dropped by
MD5 28d0f89748cd1bc721b3a39b064b028d
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 0da798fa2f61568547a3d9d4a8ce1197972a82720351d3efea816477d9e2f77d
Cape
Cape
https://www.capesandbox.com/analysis/111077/

Comments