MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87eb95add82c1c9df19d4fb798583d1e62f04eb27dd654c50fa153ea2731f58d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 87eb95add82c1c9df19d4fb798583d1e62f04eb27dd654c50fa153ea2731f58d
SHA3-384 hash: 937234d4c316f6da19886dfb03ceca850a9d503191647221f290bd12f70076e91d502982f6287368588123a793557b38
SHA1 hash: 0bc604ce9d15624ccd21b14ab1970de72183a8d3
MD5 hash: 0d4036c9207875749e901bdd70a6d817
humanhash: carolina-lemon-glucose-lima
File name:RFQ5983.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:124'648 bytes
First seen:2021-02-01 09:56:17 UTC
Last seen:2021-02-01 11:39:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f0a455656e6ddb23a520f37451bfba76 (1 x GuLoader)
ssdeep 1536:ZNj7CgOagwzqoLZHHwyTV5H+DfvXM5uuHxlOnYA17l8ubAPAVQAjr:qgOagwDLZnfrHGfvX+uuHAMPAm2
Threatray 4'708 similar samples on MalwareBazaar
TLSH ABC31903F968AC81E205EF300834F9A96692FCFD6FD2CF1B70557B4A1EB67016D5426A
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: cloud01.worldeyecam.com
Sending IP: 66.115.164.12
From: Baker Sudqi Abubaker <bsabibekar@adnoc.ae>
Subject: NEW ORDER FROM EXHIBITION
Attachment: RFQ5983.zip (contains "RFQ5983.exe")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=1YAhYGS-v6BLnWt8V79sI89lhpXBsU2xC

Intelligence

File Origin
# of uploads :
2
# of downloads :
201
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ5983.exe
Verdict:
No threats detected
Analysis date:
2021-02-01 09:59:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c2db9174-8d86-4c07-9c31-5e3a22088b55

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Guloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/114470/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/595205
Signature
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/87eb95add82c1c9df19d4fb798583d1e62f04eb27dd654c50fa153ea2731f58d/
Threat name:
Win32.Worm.Wbvb
Create hunting rule
Status:
Malicious
First seen:
2021-02-01 09:57:29 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=q7vzlloyfqoj34m5j63zqwb5dzrpatvspxlfjripufj6ujzr6wgq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
0e7ec69a6222b2753c0167997838b380acfd47834a6d1e7dd2475fd4fe07d63c
GuLoader
12bae6b2d092fc8c776ea509d90b393df8e8f336214bb155f7e2d7f18beb4cb1
GuLoader
13393c26e42a0d09bbd796f3f9b5109dc0d2e7ff7bd7f4aac0aa0c879c5c123c
GuLoader
859cc79621eca1e9b1bc85a569d0ddfcdf83440090e8e4ed7aa8054e2c9c460a
GuLoader
9d772f078ebff5dd18830b266cf39eaea44289e765d6290e8589e684a22d0946
GuLoader
b267c228b488319e3514de6a929f16f55e18cf8ac9924f2989b199ebe6b51a59
GuLoader
c8ea056cb229cc17d43217a6aba42320468cfaea55d6f9846b5f402bab6b06d0
GuLoader
d9ea7ed19010ef0c36ebd05d5abfd5624e21a33ad5e18ca36007671d86eba8b3
GuLoader
dd7268284b041dafef56b6a8a4b565b3a0c54e1eaacc68121a1688e03798e72d
GuLoader
fc6c4135d3f170f4eabb81d6abc020cbdfe02b8c7e5c8c2cb42709b21d9b58e1
GuLoader
+ 4'698 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210201-4z3s6ez9ks/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
87eb95add82c1c9df19d4fb798583d1e62f04eb27dd654c50fa153ea2731f58d
MD5 hash:
0d4036c9207875749e901bdd70a6d817
SHA1 hash:
0bc604ce9d15624ccd21b14ab1970de72183a8d3
Link:
https://www.unpac.me/results/9dbee993-7b87-4b32-a7b9-b43bb599d614/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.15
Link:
https://yomi.yoroi.company/submissions/87eb95add82c1c9df19d4fb798583d1e62f04eb27dd654c50fa153ea2731f58d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip 41847d61f17513a48a53c1124d500448cef394495797e7f70384f8b5239a6a25

GuLoader

Executable exe 87eb95add82c1c9df19d4fb798583d1e62f04eb27dd654c50fa153ea2731f58d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/986186/
  
Dropped by
MD5 1a36334888488914019079e5b4225137
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 41847d61f17513a48a53c1124d500448cef394495797e7f70384f8b5239a6a25
Cape
Cape
https://www.capesandbox.com/analysis/114470/

Comments