MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8250b55601a05bc91cc88f36e0e99642682e4a0d2a8752afc0651c8eaa7a0706. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8250b55601a05bc91cc88f36e0e99642682e4a0d2a8752afc0651c8eaa7a0706
SHA3-384 hash: 80aef6411a80d669f9dfcce8b8349930cfc93b7901256ed8716d2400dd9e369488338c7968a3f5b3175ae4b0a80f8351
SHA1 hash: 93c4a41efb290dfb5b69655d478baf3159deed45
MD5 hash: 6ab492e4daf8b3c7ea22b08c806c5df5
humanhash: alanine-pizza-fruit-undress
File name:Quotation.bin
Download: download sample
Signature GuLoader
Create hunting rule
File size:77'824 bytes
First seen:2020-07-16 13:02:27 UTC
Last seen:2020-07-16 14:07:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c3242e10845b04e6c5cab963243eb51d (1 x GuLoader)
ssdeep 768:+Zm9H9r3mqPD8hH4yscgiubB7fpcYAVk90JwfG2LJhqSI:UmaqPD8hrsc27BcYAVk9WwfG2LJhE
Threatray 930 similar samples on MalwareBazaar
TLSH 0E734B3366AD10B5E270CBFF3A3154B41967AC655B08DF131848AF5F1A32A463CF552B
Reporter JAMESWT_WT
Tags:GuLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/26743/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader33.65017.8984.15621.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Creating a file
DNS request
Setting a single autorun event
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/389601
Signature
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 246990 Sample: Quotation.bin Startdate: 19/07/2020 Architecture: WINDOWS Score: 100 43 Multi AV Scanner detection for domain / URL 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 2 other signatures 2->49 7 Quotation.exe 1 2->7         started        10 filename1.exe 1 2->10         started        12 filename1.exe 1 2->12         started        process3 signatures4 51 Tries to detect virtualization through RDTSC time measurements 7->51 53 Hides threads from debuggers 7->53 14 RegAsm.exe 1 9 7->14         started        55 Multi AV Scanner detection for dropped file 10->55 19 RegAsm.exe 8 10->19         started        21 RegAsm.exe 10->21         started        23 RegAsm.exe 8 12->23         started        process5 dnsIp6 33 chuksurvive.to 104.31.69.84, 49721, 49724, 49725 CLOUDFLARENETUS United States 14->33 31 C:\Users\user\subfolder1\filename1.exe, PE32 14->31 dropped 35 Contains functionality to detect hardware virtualization (CPUID execution measurement) 14->35 37 Tries to detect virtualization through RDTSC time measurements 14->37 39 Hides threads from debuggers 14->39 41 Contains functionality to hide a thread from the debugger 14->41 25 conhost.exe 14->25         started        27 conhost.exe 19->27         started        29 conhost.exe 23->29         started        file7 signatures8 process9
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8250b55601a05bc91cc88f36e0e99642682e4a0d2a8752afc0651c8eaa7a0706/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2020-07-15 10:31:32 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qjilkvqbubn4shgir43ob2mwijuc4sqnfkdvfl6amuoi5kt2a4da._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
0ad4f6db3a7a39ce0c3df5c2424f572c6a24645cd6c40e4446843dba3e646a12
GuLoader
10481c8ab9d363251e4d1aab4805df6d245621a5f10302fe5ed8cdd9f20bdc14
GuLoader
1cd2e3b696656354859e0ffdb5bca866fadf42f59c9e2da1c228e0b52fa5f368
GuLoader
443bc33e9d28fddd4229367cde23085b8d57549093ce8e991eb4753ce58c85fe
GuLoader
70b0409a5d3866c1ae91cab292d83049a5d541d4d687efbcafb4ce4bff8bf53a
GuLoader
b022be4adc35569368e23da7b344c4f9a4ce9efffaf1013d1fc778cb2b58f67f
GuLoader
dda25996ab5b78fa63ab71aa304360374fe2eb6ded670c778b2c69d9fa1f1e40
GuLoader
de5da2008e231c60a227d6700248953651e0242542f07027e400760283b91d42
GuLoader
e313f57f18897c99dd4718ff31449333e79281266f068f88aa2957ccfcaab03c
GuLoader
ef8f03a25087eeab581d8439a0a19ba7148270d2210d479c1d6867fac69dc813
GuLoader
+ 920 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/200716-r1s7lxveyx/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of SetWindowsHookEx
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/26743/

Comments