MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 91a75290effdceda2b1b0a8c2a16db9e172f406ae6ecce19539b0bdc5656613f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 91a75290effdceda2b1b0a8c2a16db9e172f406ae6ecce19539b0bdc5656613f
SHA3-384 hash: aa4d0c034e43f0a925dd7a3aa5f00fbead4860c0484b8318d0b66335ea94debbb113cf9b3d0c5a4f12555185e1849f27
SHA1 hash: a87e892f654ae12167b934eef883562e6d7284ba
MD5 hash: 18e2c9f5c6e870ffd1e639e286ab38bc
humanhash: west-south-south-failed
File name:315800_Invoice_confirmation.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:94'208 bytes
First seen:2021-01-08 19:05:08 UTC
Last seen:2021-01-08 20:28:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 690ed9eee3aab240a93936dee17050b4 (6 x GuLoader)
ssdeep 768:JSxchMqP008iO0kx/BGJZwI6Zqp5X5LwxBS0kCjYjt8/mTk2ZISmQwEVH8ZvBaWY:phMp52f5LwbWumT1oREVH8Xx2
Threatray 4'561 similar samples on MalwareBazaar
TLSH 2793B4BFF3A0F732C34194F51A643E604798783219399B87E681671E3A799FEA124713
Reporter abuse_ch
Tags:Charter exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: impout003.msg.chrl.nc.charter.net
Sending IP: 47.43.20.27
From: Jerry David <nataly5@parfum-bhs.ru>
Subject: Payment Confirmation..
Attachment: 315800_Invoice_confirmation.iso (contains "315800_Invoice_confirmation.exe")

GuLoader payload URL:
https://dailyhintnews.com.ng/cam/janomo_IMpaIzePcr199.bin

Intelligence

File Origin
# of uploads :
2
# of downloads :
375
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
315800_Invoice_confirmation.exe
Verdict:
No threats detected
Analysis date:
2021-01-08 19:09:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1ded286c-5dd9-47a5-963e-335fdfa54e2e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Guloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/111079/
Detection(s):
SecuriteInfo.com.FileRepMalware.8205.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/577096
Signature
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for submitted file
Potential malicious icon found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/91a75290effdceda2b1b0a8c2a16db9e172f406ae6ecce19539b0bdc5656613f/
Threat name:
Win32.Downloader.GuloaderCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-01-08 19:06:08 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sgtvfehp7xhnuky3bkgcufw3tyls6qdk43wm4gkttmf5yvswme7q._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
02553b25344fd73b18ed90ab5fc8e9c11100734b429e90a0527cbc1aed79e6bd
GuLoader
1fccab885b5fbfef621f85299c5c698965a415f96e1966ef278d9268cb5d921a
GuLoader
2b68ba16b8a44890c23fba68bccc1ef620ff3f12fd0d0fc2f7ffab92fcbde46e
GuLoader
37f99fd8cd0da50db89ff0b8fa05029e283aa5ac0cb8770dd17514dbf760f744
GuLoader
94a32b234e3acda70a26f78a56620a6aa7cf6dc21672766e38a75211e13108aa
GuLoader
96806ca7e35fc1840e35d756d2242c494fa734a81d76ceb8586fd10ef6548f39
GuLoader
9c2e8914a4d3511eaa2f69e6ab33c9ff7d760d4ebfb761b38ed56eed8fe32ddb
GuLoader
b32598815ea88a25f6459ae8b5035d0ed9c787d8fee5f124a24543c0550d9070
GuLoader
b33804d1bcadb3c28baad638d82f7510ab66451a5a602978dfa8f629e6bdca05
GuLoader
f67020d5de462a963aeeaae1afe2bba3ba629da38a85a035a9389c454a402d0a
GuLoader
+ 4'551 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210108-acq4rr8wm6/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
91a75290effdceda2b1b0a8c2a16db9e172f406ae6ecce19539b0bdc5656613f
MD5 hash:
18e2c9f5c6e870ffd1e639e286ab38bc
SHA1 hash:
a87e892f654ae12167b934eef883562e6d7284ba
Link:
https://www.unpac.me/results/56e78681-fd87-41ef-b3ee-9532d45ff591/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/91a75290effdceda2b1b0a8c2a16db9e172f406ae6ecce19539b0bdc5656613f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

iso 16a3eb996c29be470734646df65e030a565e365d6675d96a282161b47ab97992

GuLoader

Executable exe 91a75290effdceda2b1b0a8c2a16db9e172f406ae6ecce19539b0bdc5656613f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/951162/
  
Dropped by
MD5 1e98b0d418c0f981cc76ef47e08e6b1b
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 16a3eb996c29be470734646df65e030a565e365d6675d96a282161b47ab97992
Cape
Cape
https://www.capesandbox.com/analysis/111079/

Comments