MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d44a1e98afe47c5a977fd9977f45d173a28a4cbe76f27e2adc5aa702b7ffc75. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	6d44a1e98afe47c5a977fd9977f45d173a28a4cbe76f27e2adc5aa702b7ffc75
SHA3-384 hash:	25b10a11055aa8c5ef1848bd5aa3c3f8175ac075a190a3a829b07797e0c86cfb5e8bdfe6b04ed7d7b24c325ef20ccc86
SHA1 hash:	ccfcbc36c22530b58bb6f35707667f658923c9bf
MD5 hash:	6660a5670795be34d107d51a5323a6f3
humanhash:	nebraska-kitten-december-kansas
File name:	DHL_Shipment_Notification#5436637389_22_FEB.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	139'264 bytes
First seen:	2021-02-22 09:06:45 UTC
Last seen:	2021-02-22 10:56:24 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	3f0d3842f1f621625b7b4016e6be4558 (2 x GuLoader)
ssdeep	1536:DWWTwV4fVhussgo2mzIggDnv+0op+CygfnMZaBmZJouxVQwV4MjW:nwVUPbbmcNDv+LHTMjZJoQqwV
Threatray	2'172 similar samples on MalwareBazaar
TLSH	22D34956B254E127D4184A739F1F89F41C356D2389707A0763DC3A0F26B1AED2BF6287
Reporter	JAMESWT_WT
Tags:	GuLoader

Intelligence

File Origin

# of uploads :

2

# of downloads :

159

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

1

File name:

DHL_Shipment_Notification#5436637389_22_FEB.exe

Verdict:

Suspicious activity

Analysis date:

2021-02-22 09:08:57 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/a49e2267-f1d6-4f9d-b248-7143b557c8c1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/118286/

Detection(s):

SecuriteInfo.com.W32.AIDetectGBM.malware.01.2577.1896.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

GuLoader

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/613900

Signature

Contains functionality to hide a thread from the debugger

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Hides threads from debuggers

Multi AV Scanner detection for submitted file

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected GuLoader

Yara detected VB6 Downloader Generic

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6d44a1e98afe47c5a977fd9977f45d173a28a4cbe76f27e2adc5aa702b7ffc75/

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=nvckd2mk7zd4lklx7wmxp5c5c45crjgl45xspyvnywvhak377r2q._file

Verdict:

unknown

Similar samples:

0940b9701bebcf58004ba4089e5d0d6ebbf882da6fce307f24b254f243063439

4290d442e13dea4987b3439a97deabd09dc72d8b38fff572ea287d1c4e9b71bd

4c6997804d58c9362349c9d5905e52c1e4a41c4db83541a3bf4f72097c8205f6

5d55ad4b75f1106d59cc53b92d90c8f343c5d893c774d436f44ae5508714f443

7052536e8f3b3224cdc9edc70a1a7f3a26ad0fc9c620c80eb91f9168ce81ad0c

7b71b12d30d6ce6adb82e9f8c105c1f1cc36ed8744b0c21cfa8aa08d21119f08

937207d136742595f9db854f55c1bc51fa5ec706510387ce35e037095432e1eb

a8f3dde862d7e81876c11ee41a7d5c6594e72e67d12496461157c56e24c10a35

ba09c031c8345f685a7da248184f5bdec2007989bbaabe9f299b601c2734541d

ebc82e867e1280af5cb01ed64745b4a4e5fa48c2ea64557bbaeb7b391e852c2f

+ 2'162 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/210222-h1ybw2ft6a/

Behaviour

Suspicious use of SetWindowsHookEx

Unpacked files

SH256 hash:

6d44a1e98afe47c5a977fd9977f45d173a28a4cbe76f27e2adc5aa702b7ffc75

MD5 hash:

6660a5670795be34d107d51a5323a6f3

SHA1 hash:

ccfcbc36c22530b58bb6f35707667f658923c9bf

Link:

https://www.unpac.me/results/e6da2f7e-67e7-4848-9f34-1184795fb90b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Tnega

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6d44a1e98afe47c5a977fd9977f45d173a28a4cbe76f27e2adc5aa702b7ffc75

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/118286/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample