MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 952c1bc7773c529d609f5eac3d5268274cec23eb495ca6ce78a866a73f96aa24. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 952c1bc7773c529d609f5eac3d5268274cec23eb495ca6ce78a866a73f96aa24
SHA3-384 hash: 805b2c3c1b05d92a607ac88a2b3410f4311490c4c20c8c3b29daea96c4c827571831584b061808a8a1d6b5c54c3d7667
SHA1 hash: dadf67b338f8223d06312da5d8d4a338dde816f3
MD5 hash: 098d627a93cd7687f54c4bd1c342e00d
humanhash: triple-crazy-beryllium-early
File name:098d627a93cd7687f54c4bd1c342e00d
Download: download sample
Signature GuLoader
Create hunting rule
File size:271'464 bytes
First seen:2021-07-27 16:12:52 UTC
Last seen:2021-07-27 18:47:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash cd2ccdbbf7ff5ffb1eee7d322c630393 (2 x GuLoader)
ssdeep 1536:0PnwsR1K/131Tjf8XYzyxSykhEFTXVjV10GhTGsMes:0/w+1Y3BkXSDy17GNZ
Threatray 5'233 similar samples on MalwareBazaar
TLSH T13144177067A7BD1BE809F9B0A703B024A5BDF1778A5C93D2A5C066299C75ED180F432F
dhash icon e8cc8c8e8e8ccce8 (1 x GuLoader)
Reporter zbetcheckin
Tags:32 exe GuLoader signed

Code Signing Certificate

Organisation:MISGOVERN
Issuer:MISGOVERN
Algorithm:sha256WithRSAEncryption
Valid from:2021-07-27T07:19:45Z
Valid to:2022-07-27T07:19:45Z
Serial number: 00
Intelligence: 325 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Central Blocklist:This certificate is on the Cert Central blocklist
Thumbprint Algorithm:SHA256
Thumbprint: bf036a204fc81111b5eafe64a227591c915188f7db189b6faf4ccb9bae066575
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
225
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
New Order L.P.B.PROMET .xlsx
Verdict:
Malicious activity
Analysis date:
2021-07-27 14:52:35 UTC
Tags:
encrypted exploit CVE-2017-11882
Link:
https://app.any.run/tasks/3efa0c9b-1790-4ef7-a677-21a952698219

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/174466/
Detection(s):
SecuriteInfo.com.Variant.Razy.898086.26784.25373.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b2a2f764-659a-4843-a350-c5a60850bf64
Result
Threat name:
GuLoader FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/822523
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found malware configuration
GuLoader behavior detected
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 454935 Sample: 6sT97BIRo5.exe Startdate: 27/07/2021 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus detection for URL or domain 2->40 42 8 other signatures 2->42 10 6sT97BIRo5.exe 1 2->10         started        process3 signatures4 52 Contains functionality to detect hardware virtualization (CPUID execution measurement) 10->52 54 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 10->54 56 Tries to detect Any.run 10->56 58 2 other signatures 10->58 13 6sT97BIRo5.exe 6 10->13         started        process5 dnsIp6 34 kinmirai.org 133.130.104.18, 443, 49733 INTERQGMOInternetIncJP Japan 13->34 60 Modifies the context of a thread in another process (thread injection) 13->60 62 Tries to detect Any.run 13->62 64 Maps a DLL or memory area into another process 13->64 66 3 other signatures 13->66 17 explorer.exe 13->17 injected signatures7 process8 dnsIp9 28 www.gcbsclubc.com 103.120.82.56, 49755, 80 WEST263GO-HKWest263InternationalLimitedHK Hong Kong 17->28 30 137gate.com 31.44.185.28, 80 PINDC-ASRU Russian Federation 17->30 32 20 other IPs or domains 17->32 44 System process connects to network (likely due to code injection or exploit) 17->44 21 cmd.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Gathering data
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2021-07-27 16:13:07 UTC
File Type:
PE (Exe)
Extracted files:
25
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
04b0bed3c67cf8a69f413a4f323055d71e3d0a8fec4a0cd96f3e667541b8e63a
GuLoader
27901356eb5538b402d917cbae797df863ec26c24f8d3126d0aa90ddd3cc7707
GuLoader
3c03c5f80df2762d336347192bcb146bd837550b208bab90b0e81d481d7e3506
GuLoader
57c19a6393af8083c0479541d3e7ae6bf2342dfcebff8ce7263e23d2681beb76
GuLoader
6be313f575251971aece301752d757d6446df0a2b86c0831405cf62103650f81
GuLoader
7bcd31bd41686c32663c7cabf42b18c50399e3b3b4533fc2ff002d9f2e058813
GuLoader
86a71b90222d2cca00dadf08403fa518224fc6dadc7d3db66a769ae2331ec6aa
GuLoader
a0dd70b6bb048ea0f1c638b58efd63479e1483760130c3cde1bbce6db75c0b8c
GuLoader
a5f5fc2f6e2c6e6318be4a81aff84d55ecdaa21e6ef6871c44fa409ebdada7e4
GuLoader
d24900f8d22bb415668f1f42513ddf6d58a1a44ff8f80b510fb8cb35b095c24f
GuLoader
+ 5'223 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/210727-er3bfygecj/
Behaviour
Suspicious use of SetWindowsHookEx
Guloader,Cloudeye
Unpacked files
SH256 hash:
952c1bc7773c529d609f5eac3d5268274cec23eb495ca6ce78a866a73f96aa24
MD5 hash:
098d627a93cd7687f54c4bd1c342e00d
SHA1 hash:
dadf67b338f8223d06312da5d8d4a338dde816f3
Link:
https://www.unpac.me/results/099286bd-6542-4a9b-b555-f766bcbcd257/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/952c1bc7773c529d609f5eac3d5268274cec23eb495ca6ce78a866a73f96aa24

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe 952c1bc7773c529d609f5eac3d5268274cec23eb495ca6ce78a866a73f96aa24

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1484977/
Cape
Cape
https://www.capesandbox.com/analysis/174466/

Comments


Avatar
zbet commented on 2021-07-27 16:12:53 UTC

url : hxxp://180.214.239.39/registry/.svchost.exe