MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 91dfd41acf3e4f461c8c0c5ffdad45e08e92c839dd4f4f233b3e0ff57efd5064. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 91dfd41acf3e4f461c8c0c5ffdad45e08e92c839dd4f4f233b3e0ff57efd5064
SHA3-384 hash: ead51645abe909d11d198a20db006b0e56b40b534ec8df674146ac828f4bee10b9a0862769ebb779273d7db8703dbef6
SHA1 hash: d4bdc1197640ddd33d5f8b274e472561de62b96e
MD5 hash: 280deef36e8bcf318d71ee70e6e93a8a
humanhash: leopard-early-beer-fix
File name:king.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:98'304 bytes
First seen:2020-04-06 11:23:41 UTC
Last seen:2020-04-06 11:57:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e713fb1a787aa6ab59a70245648db77a (1 x GuLoader)
ssdeep 768:wdq5ZDl1eiGOXgmU5NCPZqB3fKBpXp6ql9LItgvyIXK+7U9o9X6:DFgmUNbBvkkql9bvyID7eoU
Threatray 392 similar samples on MalwareBazaar
TLSH 07A3C312BE90FE51C4109E71DE7ADBF80129FC70AE446A17BAC53F6F3970181B592B1A
Reporter cocaman
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Dropper.Gamarue-7652399-0
Create hunting rule

Win.Dropper.Minix-7652403-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Androm
Create hunting rule
Status:
Malicious
First seen:
2020-04-06 12:13:21 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=shp5igwphzhumhembrp73lkf4chjfsbz3vhu6iz3hyh7k7x5kbsa._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
17f52dbf63e20cb471e6da579551830186446d814a14162ec3569c62fb6f0771
GuLoader
1e69b9f6dc891618bed32c776bb20ffc62b8ca9700241a145eb4246c23d864a4
GuLoader
345ed143bf3a28f74de72fa62a271a67fb28ae04e6ca0fefa8eb09c7782dc3e6
GuLoader
3ac04fc065e3f2ff00ce027de2cadcefbe88ec0fd7a8f1d578b3409419de2228
GuLoader
3ec48308cb3200731f34d1424d1724b17c1fb8b93af66b1597f7556ad335f5dd
GuLoader
4f72bf95216665e7d33e013a73c7ec71cdc9c221ad45f25ec74d20c1a06b8291
GuLoader
a9a7e2936d94dede1a6afb99ca32d775d6121d7580045f5ebb9beff211f0c271
GuLoader
b022be4adc35569368e23da7b344c4f9a4ce9efffaf1013d1fc778cb2b58f67f
GuLoader
d5db22a78bcc0ae5375634bd53679e610b3bad0d251836ca93b7821d4f7d147c
GuLoader
d74ec4c8e4b38d5258d5fcee7364b8dd0eeb165e6b0aa3edc544b160ceec7f89
GuLoader
+ 382 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Excel file xlsx 30ba983c41c400c82c194778c9ca6798383b00c80bec7b85c9c8010dd667fdcf

GuLoader

Executable exe 91dfd41acf3e4f461c8c0c5ffdad45e08e92c839dd4f4f233b3e0ff57efd5064

(this sample)

AveMariaRAT

Executable exe 6998249e77f7c33821b3678fbdbc0a843ca39d80d49aa55335b48ef7c4011ad2

  
Delivery method
Other
  
Dropped by
SHA256 30ba983c41c400c82c194778c9ca6798383b00c80bec7b85c9c8010dd667fdcf
  
URLhaus
https://urlhaus.abuse.ch/url/335715/
  
Dropping
SHA256 6998249e77f7c33821b3678fbdbc0a843ca39d80d49aa55335b48ef7c4011ad2
  
Dropping
MD5 596a8138a493a2e448525bdc8f1ea983

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
VB_APILegacy Visual Basic API usedMSVBVM60.DLL::__vbaObjSetAddref
MSVBVM60.DLL::EVENT_SINK_AddRef
MSVBVM60.DLL::__vbaFileOpen
MSVBVM60.DLL::__vbaErrorOverflow

Comments