MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 74930326e1b80d4c6107fd1e1e681f096848bdb61e8db08707cdbda38a6d1f73. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 74930326e1b80d4c6107fd1e1e681f096848bdb61e8db08707cdbda38a6d1f73
SHA3-384 hash: caeb581d05a3ff3fe193000e7e212a89c55391ddfd4c7b5ae50bb3222414d5283d58c591f8a58a7dadacffcf78b12d09
SHA1 hash: a3d751c2a7d076efad0e4031d0b06c8cf052a1e4
MD5 hash: a5f52af4a63d102da64cda77412f8cf7
humanhash: ten-uncle-mobile-hotel
File name:PAYMENT_PDF.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:73'728 bytes
First seen:2021-01-18 08:00:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a468bb2dc3574e0bac04516976bc7905 (3 x GuLoader)
ssdeep 768:7+HyRf3obA5vdcDyWMNYgI+N5vtVerAT2694vZ+AaPtjXJm2uWSkdO1:7cyRQbEvUyWsDvtVerAx2vZ+pPRYF
Threatray 4'678 similar samples on MalwareBazaar
TLSH 4573C592845AF474EAA58074FD1292FA540BAEA5D503B2FB20497D2CB9F3F402ED174F
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: chele.com
Sending IP: 51.79.142.47
From: Account <maxwell@brennakirlin.ml>
Subject: RE: PAYMENT
Attachment: PAYMENT_PDF.IMG (contains "PAYMENT_PDF.exe")

GuLoader payload URL:
http://www.sandtonson.com/file/USA_gFOSAVSbiL233.bin

Intelligence

File Origin
# of uploads :
1
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PAYMENT_PDF.exe
Verdict:
No threats detected
Analysis date:
2021-01-18 08:12:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d8fbd1f4-5e6b-404b-ae24-713993cd5520

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Guloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/112439/
Detection(s):
PUA.Win.Adware.Popuper-6870622-0
Create hunting rule

PUA.Win.Adware.Popuper-6888135-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/583752
Signature
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/74930326e1b80d4c6107fd1e1e681f096848bdb61e8db08707cdbda38a6d1f73/
Threat name:
Win32.Trojan.Razy
Create hunting rule
Status:
Malicious
First seen:
2021-01-18 08:01:17 UTC
AV detection:
7 of 46 (15.22%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=osjqgjxbxaguyyih7upb42a7bfuerpnwd2g3bbyhzw62hctnd5zq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
6f05a4c741ce687b728cad820f1bf2667037ae77a51760a559765195115d0ab9
GuLoader
726156ccca0ba0077df20db0e438db482c7197d69453b890332ed69a9e509352
GuLoader
84f409f8aee0cf253fba68ae4027348449045f7bfb8723ac8fe0336c21c0b0f6
GuLoader
87fdcca436e0e9e220acb51332720668c04460d48d1791368e734c1539bd1f77
GuLoader
9532627f43a3de7b9c4414517f18197a08969adec3c24e1c2f1856e32613d5cd
GuLoader
aec92581e48c5a9f8e8b920d595ecab2a0af7c81bc49e5d2d3d4bb9c317f1999
GuLoader
b69b9b6a6a6ddfcf0705b42fbf85f39534bef23b4a10a1b916ad105b6ac0ff62
GuLoader
c1ccf8689de88be32890345e454df2f1fa90e1e4033c0f63425001af42f7aef5
GuLoader
d07136d108ff4e1867ba77d46bd6f9e9f83e64566d83b1b7c2099dd0de7fc4a3
GuLoader
dde6436d3e8a969f96e4ccec6904631d562efad960e0e9a6a2a865174750f3d6
GuLoader
+ 4'668 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210118-g39w4llb66/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
74930326e1b80d4c6107fd1e1e681f096848bdb61e8db08707cdbda38a6d1f73
MD5 hash:
a5f52af4a63d102da64cda77412f8cf7
SHA1 hash:
a3d751c2a7d076efad0e4031d0b06c8cf052a1e4
Link:
https://www.unpac.me/results/8a58181b-1e2e-4298-9e34-76ca0cac08f7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/74930326e1b80d4c6107fd1e1e681f096848bdb61e8db08707cdbda38a6d1f73

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

img c2846ac94f38d65e8625d2a66ede37086866b7a54ccd0e786783c01744c0a5f7

GuLoader

Executable exe 74930326e1b80d4c6107fd1e1e681f096848bdb61e8db08707cdbda38a6d1f73

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/969730/
  
Dropped by
MD5 1fbaccafd35cda7cbc2ef9cbe2da3bac
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 c2846ac94f38d65e8625d2a66ede37086866b7a54ccd0e786783c01744c0a5f7
Cape
Cape
https://www.capesandbox.com/analysis/112439/

Comments