MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 81be23ce8636c948e1ac5c966ee5c34f738f8dc20aa85acedbca48f92e1ff363. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 81be23ce8636c948e1ac5c966ee5c34f738f8dc20aa85acedbca48f92e1ff363
SHA3-384 hash: 8902932c8d78094a0c9b9361cf5599fbc862f7f682afb53193a433c1fefee5e79c6096e96dcc57eec4773378a7ecff99
SHA1 hash: 28415d98d50ceb4c3316aaff393bef656a9f4ad2
MD5 hash: 4e67bf00a10e57eac11e3f8f66546f9c
humanhash: twenty-magnesium-maryland-alabama
File name:Shipment Document BL,INV and Packing list Attached.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:189'528 bytes
First seen:2021-06-22 05:56:35 UTC
Last seen:2021-06-22 13:08:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 269fbb82c8f402e670c866cdbdfbba84 (4 x GuLoader, 2 x Loki, 1 x BitRAT)
ssdeep 3072:IwLKc0KG7gGK44dsGop/o5kkeWduQaqrHXYH5M7hL8:jPi7gt2h/oSkeWduQaqrHXYH5Y
Threatray 5'894 similar samples on MalwareBazaar
TLSH 94048EE37680F972D75984B256114AFD2D88AD301D6489C3E2C53B2FE7B6AD2D330626
Reporter cocaman
Tags:DHL exe GuLoader signed

Code Signing Certificate

Organisation:Opdigtende9
Issuer:Opdigtende9
Algorithm:sha256WithRSAEncryption
Valid from:2021-06-21T23:39:43Z
Valid to:2022-06-21T23:39:43Z
Serial number: 00
Intelligence: 325 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Central Blocklist:This certificate is on the Cert Central blocklist
Thumbprint Algorithm:SHA256
Thumbprint: d375808f3237f9bb8415059f35ef5b94b9308f8c63e08521da0ce9acc5ad142e
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
4
# of downloads :
184
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Shipment Document BL,INV and Packing list Attached.exe
Verdict:
Suspicious activity
Analysis date:
2021-06-22 05:59:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c54fbd7f-8fd8-49e3-986d-4119cf07598f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Guloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/167429/
Detection(s):
SecuriteInfo.com.Variant.Razy.880943.16942.27479.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dfca6d31-9ebd-4314-ae37-0871140b7f5f
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/805726
Signature
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/81be23ce8636c948e1ac5c966ee5c34f738f8dc20aa85acedbca48f92e1ff363/
Threat name:
Win32.Trojan.VBObfuse
Create hunting rule
Status:
Malicious
First seen:
2021-06-22 05:49:58 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
14 of 46 (30.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qg7chtugg3eurynmlslg5zodj5zy7docbkufvtw3zjepslq76nrq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
169ccc389d18d44f4693c1de00f47e1b405f530ea90903b68c23523fe86592b7
GuLoader
46a43e78123a8400e4eecc145ab51509a3cd7baae19f450d5150bb762d0bc34e
GuLoader
5d5d64a87a5d888443e8d7a25046922fa4a39fe5952a45635dd66321e616bb14
GuLoader
5e681acaddd90aaecc4edeb8a2fa514475a9ecec9458038d4d9e880a963b126f
GuLoader
5fc1f737492b4a7e01b1e2befa4e25b1a65c7a6a83b4ec419660d0c3c4894300
GuLoader
8ac1fc19367861f3a749d801300f554148e36a0e8a4f4cce3c5d3e4de43e4279
GuLoader
ad24fa8fe46848770e3bd8a2c2f084fd36e1916824b875204d7f9f2faa52375b
GuLoader
ce84812d0bb4086a806eb6bd6bda53c0656dd74569b1c40251d0ee1f84852460
GuLoader
d56c4c2f5d2fb1888a61723b99845f21742ab93794bc0fdcf146a67c33919e1f
GuLoader
df9518a17395e5cd3d467eaf82daec28250b168e6b31553b0a60712f05025380
GuLoader
+ 5'884 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:guloader downloader rat spyware stealer trojan
Link:
https://tria.ge/reports/210622-5t2tnhn7an/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks QEMU agent file
Deletes itself
Formbook Payload
Formbook
Guloader,Cloudeye
Malware Config
C2 Extraction:
https://onedrive.live.com/download?cid=7CE57EBD7A97D20C&resid=7CE57EBD7A97D20C%21107&authkey=ABprYQaNgWPFxNE
http://www.semenovdmitriik.club/bwk/
Unpacked files
SH256 hash:
49b04162c412105ab0857de16713724cbf3234a0b6ba51f3a5286312633f20c3
MD5 hash:
1f1b425190b2fb0396ad2d538b1060ba
SHA1 hash:
413f98641d46fdcabfcaf64f29495667de6282ea
Link:
https://www.unpac.me/results/1fce9325-7e67-4984-8100-416e9e3d5198/
SH256 hash:
81be23ce8636c948e1ac5c966ee5c34f738f8dc20aa85acedbca48f92e1ff363
MD5 hash:
4e67bf00a10e57eac11e3f8f66546f9c
SHA1 hash:
28415d98d50ceb4c3316aaff393bef656a9f4ad2
Link:
https://www.unpac.me/results/1fce9325-7e67-4984-8100-416e9e3d5198/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/81be23ce8636c948e1ac5c966ee5c34f738f8dc20aa85acedbca48f92e1ff363

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

ace 5167497d28eb6a69ae2e73077e77dc1a2c2e68c72b23328c7bcc6979f8e05773

GuLoader

Executable exe 81be23ce8636c948e1ac5c966ee5c34f738f8dc20aa85acedbca48f92e1ff363

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 5167497d28eb6a69ae2e73077e77dc1a2c2e68c72b23328c7bcc6979f8e05773
Cape
Cape
https://www.capesandbox.com/analysis/167429/

Comments