MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 91941aae141a39edd148e57a59fb42f041945b9ce76c4c6679a2ddf322815301. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 91941aae141a39edd148e57a59fb42f041945b9ce76c4c6679a2ddf322815301
SHA3-384 hash: 81ffaa9950b4fe40a7f27e67c03f4074885b64ef9eec395b55bd268b4bce235753f62af430c635d38c0e28eb4470e5c7
SHA1 hash: 3e96afd7f23b6f87896dd7f0841ae9f0afff55aa
MD5 hash: 439fe7971d8f3d8b8f7738044ac49fb2
humanhash: johnny-black-princess-alpha
File name:439fe7971d8f3d8b8f7738044ac49fb2.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:69'632 bytes
First seen:2020-12-08 16:21:31 UTC
Last seen:2020-12-08 17:57:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 19a50f8a689b1fb4492b7f7bc8ae3f82 (4 x GuLoader)
ssdeep 768:bfxN3L//mbLADCyRTtYw7Z2DzQmfnuy6nSfVnIhF14Y7D:juXAmapYi2DzQmGNrW8D
Threatray 4'598 similar samples on MalwareBazaar
TLSH 8C63D7224E93BC7AC56642B1267C067906CAAB36426BCD1F22441F3F5E25F44FE7522F
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
GuLoader payload URL:
https://babusubramaniam.com/man5_IIXkwnQS3.bin

Intelligence

File Origin
# of uploads :
2
# of downloads :
320
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Guli.exe
Verdict:
Suspicious activity
Analysis date:
2020-12-09 15:05:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ff5ae9dd-b97d-4390-b5cb-478c8b66e533

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/107299/
Detection(s):
SecuriteInfo.com.Variant.Razy.801171.25399.20606.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
GuLoader Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/558184
Signature
Antivirus detection for URL or domain
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected GuLoader
Yara detected Lokibot
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/91941aae141a39edd148e57a59fb42f041945b9ce76c4c6679a2ddf322815301/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2020-12-08 16:22:06 UTC
AV detection:
11 of 27 (40.74%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sgkbvlqudi463uki4v5ft62c6baziw4445weyztzulo7giubkmaq._file
Verdict:
suspicious
Similar samples:
116078d29890c8b0d748b2f2709d2768f7ad9ac04688db1f44189f019f62050f
GuLoader
1fccab885b5fbfef621f85299c5c698965a415f96e1966ef278d9268cb5d921a
GuLoader
37f99fd8cd0da50db89ff0b8fa05029e283aa5ac0cb8770dd17514dbf760f744
GuLoader
688ac9fd686d48bc6fec56f27e814c48d7849f548ef14d763dd446b61140c388
GuLoader
7b743eec66064abd181281fa1c0d614f856ee083d23348a10c9612765342ee67
GuLoader
94a32b234e3acda70a26f78a56620a6aa7cf6dc21672766e38a75211e13108aa
GuLoader
9c2e8914a4d3511eaa2f69e6ab33c9ff7d760d4ebfb761b38ed56eed8fe32ddb
GuLoader
b32598815ea88a25f6459ae8b5035d0ed9c787d8fee5f124a24543c0550d9070
GuLoader
b33804d1bcadb3c28baad638d82f7510ab66451a5a602978dfa8f629e6bdca05
GuLoader
f0cd0d44e8eb5d76e7ebb79fd5633814ecd3aeb8251dff223b0be04c1963616d
GuLoader
+ 4'588 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201208-2al79gqh52/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
91941aae141a39edd148e57a59fb42f041945b9ce76c4c6679a2ddf322815301
MD5 hash:
439fe7971d8f3d8b8f7738044ac49fb2
SHA1 hash:
3e96afd7f23b6f87896dd7f0841ae9f0afff55aa
Link:
https://www.unpac.me/results/80f8e579-f7e9-4dec-97a9-db3af60b497f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Ransomware
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/91941aae141a39edd148e57a59fb42f041945b9ce76c4c6679a2ddf322815301

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe 91941aae141a39edd148e57a59fb42f041945b9ce76c4c6679a2ddf322815301

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/898843/
  
URLhaus
https://urlhaus.abuse.ch/url/896303/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/107299/

Comments