MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 92c9586c472eb0346e2e1423f5707e99667c7bb03f5497145b22fc1a9b3a9b77. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 92c9586c472eb0346e2e1423f5707e99667c7bb03f5497145b22fc1a9b3a9b77
SHA3-384 hash: 5dc9efb5f1ec9c9e533abffadedea1d00668e5ae61cf5f77facaefd2e182d403126483e354966de4f0f0cfefe346f15d
SHA1 hash: fa064c3b98854b0a8176a7bd97bc3a077016868d
MD5 hash: a00a89a1a1ea04dee2b408af33777e7b
humanhash: mango-beryllium-echo-spring
File name:Claim001_JPEG.scr
Download: download sample
Signature GuLoader
Create hunting rule
File size:57'344 bytes
First seen:2020-10-15 17:23:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bc142040f1330f837310d796991278ef (3 x GuLoader)
ssdeep 768:V1q/HeqCYnyUl1nrBm2e/t5gaez7BS5bKW3bqFI:/q/HestprTe/t5gaeZuqu
Threatray 2'336 similar samples on MalwareBazaar
TLSH 0043C3BEB3E88C65F85CFE72165186E80E5A7D317DE48A4F24B8B72A183770C9D01257
Reporter abuse_ch
Tags:GuLoader scr


Avatar
abuse_ch
Malspam distributing GuLoader:

From: "Ivett" <support@tecehmech.network>
Subject: Current Complains with Order
Attachment: Claim 001 002_JPEG.uue (contains "Claim001_JPEG.scr")

GuLoader payload URL:
https://noticeartist.com/mpa/JB_NhfAuHIW231.bin

Intelligence

File Origin
# of uploads :
1
# of downloads :
156
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/71554/
Detection(s):
PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/492857
Signature
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Potential malicious icon found
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/92c9586c472eb0346e2e1423f5707e99667c7bb03f5497145b22fc1a9b3a9b77/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2020-10-15 13:01:29 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=slevq3chf2ydi3rocqr7k4d6tfthy65qh5kjofc3el6bvgz2tn3q._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
0b9431b196547553849eebdb7a4a6cb57fc6d7d9af2c61c1abfffbf83e337984
GuLoader
3628120506e72e0e92d1bbd4e6066a8297340d3f3aad66ced5bbb5881e4cff1e
GuLoader
3f2c710a97bb42579ee2f9956437ff160a68bd787439fbc025ab3d6b46076d34
GuLoader
4320e2bf2bc6115ae79a52777bdd9aef62db691a756640f9c7fa6e8372e46193
GuLoader
5eb158bf47ebe6172da19eff3f5924634a91a4e10186b352ada8b027e1c3c527
GuLoader
7c4fd841e891e2be6f0757679701669e927c58aedc94de97104666f0e89f6b04
GuLoader
7d59dfed8b95da94664078ba62cc2b0eb6d1a346b6d4d480aef47800680c74a5
GuLoader
b69b9b6a6a6ddfcf0705b42fbf85f39534bef23b4a10a1b916ad105b6ac0ff62
GuLoader
c8bdfc9eea22464897b3dae7829464348f27a1ff1989cf33d1de95bc0a99527f
GuLoader
dd57430d1f109d9a87f2959eea95f3162418c176cb7ca9878a64a4a879a2820c
GuLoader
+ 2'326 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201015-k6njynhmls/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
92c9586c472eb0346e2e1423f5707e99667c7bb03f5497145b22fc1a9b3a9b77
MD5 hash:
a00a89a1a1ea04dee2b408af33777e7b
SHA1 hash:
fa064c3b98854b0a8176a7bd97bc3a077016868d
Link:
https://www.unpac.me/results/309b923a-08da-4254-80d1-4c7434b8a41c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/92c9586c472eb0346e2e1423f5707e99667c7bb03f5497145b22fc1a9b3a9b77

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

uue ab7d94893b1175fa7733afbb6782d769f3ccf98555a12e7715e63e3be630b04f

GuLoader

Executable exe 92c9586c472eb0346e2e1423f5707e99667c7bb03f5497145b22fc1a9b3a9b77

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/698167/
  
Dropped by
MD5 1c1a08e8dde536a52b78a177c09a8f75
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/71554/
  
Dropped by
SHA256 ab7d94893b1175fa7733afbb6782d769f3ccf98555a12e7715e63e3be630b04f

Comments