MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 737b239acfab89839b6bba6e0282a8949b2c1212803e94f76d7d9355b3e377ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 737b239acfab89839b6bba6e0282a8949b2c1212803e94f76d7d9355b3e377ec
SHA3-384 hash: 89cc07ab305f5870a4d8062b08cd1ea62f6e64558afd5ad2b1351a1d28b448fd8c194bede20602da586051c3e6f55333
SHA1 hash: f5872298cbfdff84ba74dfc13512a8ae127bf288
MD5 hash: c4bcbdb9b54174359ab91d4d6e4deea8
humanhash: three-neptune-jig-butter
File name:QUOTATION#89234A_2021_LISTED_Shipment_0022404ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:81'920 bytes
First seen:2021-01-14 06:57:42 UTC
Last seen:2021-01-14 08:53:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f08e2fa188bfdb85d74117a6c20b7544 (14 x GuLoader)
ssdeep 1536:vqr3Jn0YMQ9aA0Zp8Y4sAe+ICx2TFi3nX+uVs9ghRY6:C7OjQsA0ZyYlj396a
Threatray 2'756 similar samples on MalwareBazaar
TLSH 6C83FAF53324FC93E61689F2A026E855CEBF50EDD628A471F424627D40BFFA00599A4F
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: vm1752843.nvme.had.yt
Sending IP: 185.244.219.92
From: Traân troïng (Sales Dept) <sales.phatdt58@gmail.com>
Subject: REQUEST FOR QUOTATION (RFQ#38787-A)
Attachment: QUOTATION89234A_2021_LISTED_Shipment_0022404ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.arj (contains "QUOTATION#89234A_2021_LISTED_Shipment_0022404ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe")

GuLoader payload URL:
https://onedrive.live.com/download?cid=A951308400164DD4&resid=A951308400164DD4%21109&authkey=ANqaiU2I-EAdxcs

Intelligence

File Origin
# of uploads :
2
# of downloads :
185
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
QUOTATION#89234A_2021_LISTED_Shipment_0022404ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe
Verdict:
No threats detected
Analysis date:
2021-01-14 07:44:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fb38b4f6-211d-442e-b5f8-84ab50d6e81b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/111946/
Detection(s):
SecuriteInfo.com.Heur.PonyStealer.fm0@T0iS0ddi.8326.18985.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/581177
Signature
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Found potential dummy code loops (likely to delay analysis)
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/737b239acfab89839b6bba6e0282a8949b2c1212803e94f76d7d9355b3e377ec/
Threat name:
Win32.Infostealer.PonyStealer
Create hunting rule
Status:
Malicious
First seen:
2021-01-14 06:58:13 UTC
AV detection:
13 of 45 (28.89%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=on5shgwpvoeyhg3lxjxafavissnsyeqsqa7jj53npwjvlm7do7wa._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
28e01bffab6c9c78d2760e8a5d28ae229b9547930b5ff75c3f1a8d0f68701df2
GuLoader
3e84acdb102f2437d07c3a28a7d06be9c322ce0840a2627bbddf01d49d337bfe
GuLoader
74defd8809c3c66152c56c0f711d60e7110683784e42df2d80dcf3e30c412f6a
GuLoader
8f16e3a601a2ecbe08bb764289fc0766df7ca8e634f5490d905055be4f827364
GuLoader
b8fb56d3c66d2b6280cf2be3fb58de14e9103989429d78861bd712479424c4f6
GuLoader
ba09c031c8345f685a7da248184f5bdec2007989bbaabe9f299b601c2734541d
GuLoader
bbe69e17d653a71131e0c9fd787429245db67bd8f432b279a85881b2b1cfbf77
GuLoader
be1d469e7f434641202ffde45e666cd4b1d255814f8cbf344a3aff1e78e86768
GuLoader
dd7268284b041dafef56b6a8a4b565b3a0c54e1eaacc68121a1688e03798e72d
GuLoader
ebc82e867e1280af5cb01ed64745b4a4e5fa48c2ea64557bbaeb7b391e852c2f
GuLoader
+ 2'746 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210114-zmhnlnbmfj/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
737b239acfab89839b6bba6e0282a8949b2c1212803e94f76d7d9355b3e377ec
MD5 hash:
c4bcbdb9b54174359ab91d4d6e4deea8
SHA1 hash:
f5872298cbfdff84ba74dfc13512a8ae127bf288
Link:
https://www.unpac.me/results/db017815-a039-40ab-960d-d8ff4d8159b6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Vcrypt
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/737b239acfab89839b6bba6e0282a8949b2c1212803e94f76d7d9355b3e377ec

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

arj 362352dcafb628f602459d038818ddb32d3e622acc6508e28d12f9ed13e81b55

GuLoader

Executable exe 737b239acfab89839b6bba6e0282a8949b2c1212803e94f76d7d9355b3e377ec

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/959921/
  
Dropped by
MD5 e5af19f3eaf6f19bbe9f12a76bcbdc3a
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 362352dcafb628f602459d038818ddb32d3e622acc6508e28d12f9ed13e81b55
Cape
Cape
https://www.capesandbox.com/analysis/111946/

Comments