MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b94b072eaf480154e3add0b742144834350184c526edac1a635621132b70cb3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7b94b072eaf480154e3add0b742144834350184c526edac1a635621132b70cb3
SHA3-384 hash: a5a801622347942663a60101552dbe0514ac215add44bd5ad98fb2fe5a3aa3757deef8b7cfe795714f1a7b373c35e2ad
SHA1 hash: ea23e5fcfdb923dc6998069c44c5f9388a2c9c9e
MD5 hash: 61e397ed84952eeb3c4a1d46c9bd951a
humanhash: oranges-december-hydrogen-ten
File name:61e397ed84952eeb3c4a1d46c9bd951a
Download: download sample
Signature GuLoader
Create hunting rule
File size:118'784 bytes
First seen:2021-10-06 08:54:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 461dc836626597933929a467ef09b568 (4 x GuLoader)
ssdeep 1536:7SH7TF4JTdcfY46gpQ4kRIf1wjx6r8A7v3GheVD:7SHf2aQXRe1wjmD3Ghel
Threatray 3'842 similar samples on MalwareBazaar
TLSH T1B7C33A5132E5D899F0658D709ABAC2F44BE7FC5C8C12C31B2DC8391E3B796898A176F1
File icon (PE):PE icon
dhash icon 1003873d31213f10 (142 x DarkCloud, 132 x GuLoader, 35 x a310Logger)
Reporter zbetcheckin
Tags:32 exe GuLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
166
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Proforma invoice Shipping documents.xlsx
Verdict:
Malicious activity
Analysis date:
2021-10-06 08:39:22 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/efd28275-3ba9-42b9-9b68-4745da56bf1d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/195366/
Detection(s):
SecuriteInfo.com.__vbaHresultCheckObj.16638.6158.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/615d646c98a6280f3932cef7/reports/cbd4ae36-7d39-4193-9ac0-805d39e4c5bf/overview
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/37f24d5d-c118-40cb-85e0-2b6b23b173ee
Result
Threat name:
GuLoader FormBook
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/865469
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Found malware configuration
GuLoader behavior detected
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Potential malicious icon found
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious Rundll32 Without Any CommandLine Params
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1531 Sample: 2WK7SGkGVZ.exe Startdate: 06/10/2021 Architecture: WINDOWS Score: 100 41 www.bjyxszd520.xyz 2->41 43 www.visionmark.net 2->43 45 47 other IPs or domains 2->45 63 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->63 65 Potential malicious icon found 2->65 67 Found malware configuration 2->67 71 12 other signatures 2->71 11 2WK7SGkGVZ.exe 1 1 2->11         started        signatures3 69 Performs DNS queries to domains with low reputation 41->69 process4 signatures5 85 Creates autostart registry keys with suspicious values (likely registry only malware) 11->85 87 Creates multiple autostart registry keys 11->87 89 Tries to detect Any.run 11->89 91 Hides threads from debuggers 11->91 14 2WK7SGkGVZ.exe 9 11->14         started        process6 dnsIp7 53 45.137.22.91, 49786, 80 ROOTLAYERNETNL Netherlands 14->53 37 C:\Users\user\AppData\Local\...\VKSTPR.exe, PE32 14->37 dropped 39 C:\Users\user\AppData\Local\...\VKSTPR.vbs, ASCII 14->39 dropped 55 Modifies the context of a thread in another process (thread injection) 14->55 57 Tries to detect Any.run 14->57 59 Maps a DLL or memory area into another process 14->59 61 3 other signatures 14->61 19 explorer.exe 1 14->19 injected file8 signatures9 process10 dnsIp11 47 www.ideemimarlikinsaat.com 178.18.193.120, 49826, 80 VARGONENTR Turkey 19->47 49 www.hsvfingerprinting.com 192.185.0.218, 49801, 80 UNIFIEDLAYER-AS-1US United States 19->49 51 26 other IPs or domains 19->51 73 System process connects to network (likely due to code injection or exploit) 19->73 23 rundll32.exe 1 12 19->23         started        signatures12 process13 signatures14 75 Tries to steal Mail credentials (via file access) 23->75 77 Self deletion via cmd delete 23->77 79 Creates multiple autostart registry keys 23->79 81 3 other signatures 23->81 26 cmd.exe 2 23->26         started        29 cmd.exe 1 23->29         started        31 firefox.exe 23->31         started        process15 signatures16 83 Tries to harvest and steal browser information (history, passwords, etc) 26->83 33 conhost.exe 26->33         started        35 conhost.exe 29->35         started        process17
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7b94b072eaf480154e3add0b742144834350184c526edac1a635621132b70cb3/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2021-10-06 08:55:07 UTC
AV detection:
12 of 45 (26.67%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
15f9bf54d8c4f819663ee61dcae4d24190a518b4cc107077148dd34985c00d70
GuLoader
231d6a2cadc26a70f5663ef666e8a0700946d10e9f845b1c11273b3ab3638611
GuLoader
39de6e1f455747a1e878f070e5b62e306a60bd595d5a1840518cc07972a5c6d1
GuLoader
6e85c6cfe631feef7d11250670efcbaf476886d8ee13d11a8873cc5df84a14f9
GuLoader
8eea0ae9eab289a6827156361ffad7987cebe3429422ba07724fa6921a47b2d0
GuLoader
9d32d8de3b01e191634bdd00355a38a310475b70ba31f69015b68db822995c31
GuLoader
b327968a39622e456e81fd6577f90bf39538035eb20ab909857f8aac31c90d5b
GuLoader
bf99b231b81ab2ba895c0cbf395a5fdb5fc18d3465592150e365f31302c8250a
GuLoader
db2cb497766c43686f90caf4e233f8d1fa1cce81388423ef6f95fce8ef67febc
GuLoader
e909198f5ca355e38c8459bc7ae2028ee25f849fde5c37714f914b87a94b5182
GuLoader
+ 3'832 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/211006-kvgj7sbbal/
Behaviour
Suspicious use of SetWindowsHookEx
Guloader,Cloudeye
Unpacked files
SH256 hash:
7b94b072eaf480154e3add0b742144834350184c526edac1a635621132b70cb3
MD5 hash:
61e397ed84952eeb3c4a1d46c9bd951a
SHA1 hash:
ea23e5fcfdb923dc6998069c44c5f9388a2c9c9e
Link:
https://www.unpac.me/results/4400a3db-7d92-4b0e-8d52-0f71b40f8d5b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/7b94b072eaf480154e3add0b742144834350184c526edac1a635621132b70cb3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe 7b94b072eaf480154e3add0b742144834350184c526edac1a635621132b70cb3

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/195366/
  
URLhaus
https://urlhaus.abuse.ch/url/1657297/
  
URLhaus
https://urlhaus.abuse.ch/url/1657305/

Comments


Avatar
zbet commented on 2021-10-06 08:54:34 UTC

url : hxxp://107.172.13.131/007/vbc.exe