MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f16e3a601a2ecbe08bb764289fc0766df7ca8e634f5490d905055be4f827364. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8f16e3a601a2ecbe08bb764289fc0766df7ca8e634f5490d905055be4f827364
SHA3-384 hash: 824b0b32e33067749f4304c5e09ab1f4c290776a31c4154b7b57eca49042ce6ab9a7bec4c12beb16feae99ea206ba484
SHA1 hash: 7e3cccc917f9ce20efac6fb2f5877c4bfa5218d2
MD5 hash: 4555360a3722412df3830a677887cdaf
humanhash: crazy-moon-item-washington
File name:AWB# 9284730932.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:90'112 bytes
First seen:2020-12-02 09:19:59 UTC
Last seen:2020-12-02 10:51:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 951a5112c76125ac0abbc692febc26b8 (3 x GuLoader)
ssdeep 768:CwqRNmSZv1d+13s1zP+ALFzyxDB+ONH+zLf2DfrqR53ye+lWw6IEZrClvolURNm:FWdOH5xDRNH+zLf2brK+f6IaG4
Threatray 1'565 similar samples on MalwareBazaar
TLSH 4B936C44736FA9BEFFD68D730590E960E14BB6F02AA3493F708D4D290522142B7A5F1E
Reporter abuse_ch
Tags:DHL exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: server.inspiren.my
Sending IP: 137.59.109.82
From: DHL Express<eawb@iddhl.com>
Subject: EAWB Notification
Attachment: AWB 9284730932.rar (contains "AWB# 9284730932.exe")

GuLoader payload URL:
https://gorkaloyola.com/uplift/floow_PJNnJf28.bin

Intelligence

File Origin
# of uploads :
2
# of downloads :
310
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/106366/
Detection(s):
SecuriteInfo.com.Artemis4555360A3722.4425.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Result
Gathering data
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/553402
Signature
Contain functionality to detect virtual machines
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Multi AV Scanner detection for domain / URL
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8f16e3a601a2ecbe08bb764289fc0766df7ca8e634f5490d905055be4f827364/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2020-12-02 09:20:10 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=r4lohjqbulwl4cf3ozbit7ahm3pxzkhggt2usdmqkbk34t4consa._file
Verdict:
suspicious
Similar samples:
3f1aba2b3b15a74272a5b6e0aed4fd4df9e9b0286574dfc418c8f7c367fbff6c
GuLoader
440e883114d07c7101c029ff1d675cc1a174badabb01822ef53bf2d16b024eb6
GuLoader
501441ee833a2044c517c2354b5ad7ad874cef7821b91d3c2d94b20b2be9b1fd
GuLoader
98af60250a9e0cedaa66f04fe39c412bd0007855255547df68f5da46686c9ced
GuLoader
a01fab213d5638b27a184eafedc18fbf43ef0dcd608e70bcd0ead3c506104611
GuLoader
b8fb56d3c66d2b6280cf2be3fb58de14e9103989429d78861bd712479424c4f6
GuLoader
ba7bdbafafbe370874a0a1a53e71176f76944663d6a113d5f7a673301c2c22d8
GuLoader
bbe69e17d653a71131e0c9fd787429245db67bd8f432b279a85881b2b1cfbf77
GuLoader
dd7268284b041dafef56b6a8a4b565b3a0c54e1eaacc68121a1688e03798e72d
GuLoader
ebc82e867e1280af5cb01ed64745b4a4e5fa48c2ea64557bbaeb7b391e852c2f
GuLoader
+ 1'555 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201202-jsb2w1g8qj/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
8f16e3a601a2ecbe08bb764289fc0766df7ca8e634f5490d905055be4f827364
MD5 hash:
4555360a3722412df3830a677887cdaf
SHA1 hash:
7e3cccc917f9ce20efac6fb2f5877c4bfa5218d2
Link:
https://www.unpac.me/results/204b78b9-af5b-452c-9ab3-77638956894d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/8f16e3a601a2ecbe08bb764289fc0766df7ca8e634f5490d905055be4f827364

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

rar 3a1b32b0a79280e2d16a244d8c20da0b5d70b2fe8de8ce4109989d1487da21ed

GuLoader

Executable exe 8f16e3a601a2ecbe08bb764289fc0766df7ca8e634f5490d905055be4f827364

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/861122/
  
Dropped by
MD5 a2b5bf9ecef9f4a45471935402760e23
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 3a1b32b0a79280e2d16a244d8c20da0b5d70b2fe8de8ce4109989d1487da21ed
Cape
Cape
https://www.capesandbox.com/analysis/106366/

Comments