MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 97cb7740ec9f0643c911e147ef1365b17babef450c76257a54b65360b8a7556b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 97cb7740ec9f0643c911e147ef1365b17babef450c76257a54b65360b8a7556b
SHA3-384 hash: 71608546d25cb43c0ba53e42d1454476880d86c558c0a9a93c7dd307fec733f6a0c7dbac4fcdf98a7f168b4c6ed4d311
SHA1 hash: b323653c46c4a37110e29ac42f73a3de43ca9645
MD5 hash: 6e60f9403fcee7cac8abbfe27ad26f9f
humanhash: high-green-hotel-virginia
File name:Purchase Order.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:94'208 bytes
First seen:2021-09-03 08:27:46 UTC
Last seen:2021-09-03 09:35:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 929bd76d4a79150f11aeae8468aa1e9e (1 x GuLoader)
ssdeep 1536:pCi5rbF5wx7qLkfOzBQqgu5Nt0jup1eGeGy:UExgqLx8uNtsu7jF
Threatray 777 similar samples on MalwareBazaar
TLSH T12193AF331688E692F78A4671C53303431322EF935DB9AFE738C87E195672A0749F2A1C
Reporter GovCERT_CH
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
179
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Purchase Order.exe
Verdict:
No threats detected
Analysis date:
2021-09-03 08:28:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f31f0a1a-7cff-4ed0-b15b-3e7c7c447cfb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/185077/
Detection(s):
SecuriteInfo.com.__vbaHresultCheckObj.23166.17527.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/00eac227-fbaf-42a6-93e2-08863a35f8db
Result
Threat name:
GuLoader FormBook
Create hunting rule
Detection:
malicious
Classification:
rans.evad.troj.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/844645
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
GuLoader behavior detected
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Potential malicious icon found
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Sigma detected: CMSTP Execution Process Creation
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 477072 Sample: Purchase Order.exe Startdate: 03/09/2021 Architecture: WINDOWS Score: 100 47 www.mediamastersolutions.com 2->47 57 Potential malicious icon found 2->57 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 12 other signatures 2->63 11 Purchase Order.exe 2->11         started        signatures3 process4 signatures5 81 Tries to detect Any.run 11->81 83 Hides threads from debuggers 11->83 14 Purchase Order.exe 6 11->14         started        process6 dnsIp7 55 anzhelgenesh.com 185.36.81.32, 443, 49742 TELE-ASTeleAsiaLimitedHK Lithuania 14->55 87 Modifies the context of a thread in another process (thread injection) 14->87 89 Tries to detect Any.run 14->89 91 Maps a DLL or memory area into another process 14->91 93 3 other signatures 14->93 18 explorer.exe 3 6 14->18 injected signatures8 process9 dnsIp10 49 www.foodfromhungary.com 185.111.90.24, 49749, 49765, 49779 WEBSUPPORT-SRO-SK-ASSK Hungary 18->49 51 www.degreatlogisticsllc.com 178.238.47.153, 49750, 49766, 49782 MASTER-ASCzechRepublicwwwmasterczCZ Czech Republic 18->51 53 20 other IPs or domains 18->53 43 C:\Users\user\AppData\Local\...\oxl8ezwtm.exe, PE32 18->43 dropped 45 C:\Program Files (x86)\Dcf9\oxl8ezwtm.exe, PE32 18->45 dropped 65 System process connects to network (likely due to code injection or exploit) 18->65 67 Benign windows process drops PE files 18->67 23 cmstp.exe 1 12 18->23         started        26 oxl8ezwtm.exe 18->26         started        28 oxl8ezwtm.exe 18->28         started        file11 signatures12 process13 signatures14 69 Tries to steal Mail credentials (via file access) 23->69 71 Self deletion via cmd delete 23->71 73 Tries to harvest and steal browser information (history, passwords, etc) 23->73 79 3 other signatures 23->79 30 cmd.exe 2 23->30         started        33 cmd.exe 1 23->33         started        75 Tries to detect Any.run 26->75 77 Hides threads from debuggers 26->77 35 oxl8ezwtm.exe 26->35         started        37 oxl8ezwtm.exe 28->37         started        process15 signatures16 85 Tries to harvest and steal browser information (history, passwords, etc) 30->85 39 conhost.exe 30->39         started        41 conhost.exe 33->41         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/97cb7740ec9f0643c911e147ef1365b17babef450c76257a54b65360b8a7556b/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2021-09-03 08:28:08 UTC
AV detection:
7 of 43 (16.28%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s7fxoqhmt4dehsir4fd66e3fwf52x32fbr3ck6suwzjwbofhkvvq._file
Verdict:
suspicious
Similar samples:
2a0fe004390f3ffeb24b9bcd83620426b9c5a3c316801d248767035a072c29a1
GuLoader
4db943d3621a557370a3585cd61db3f9835c65f350a2284c9d5f3024adb0ff07
GuLoader
72ba15b643720e9bc8de41f0a5a14b2931e7018e41bf798c8e8e5d4fd8d70c7b
GuLoader
81be23ce8636c948e1ac5c966ee5c34f738f8dc20aa85acedbca48f92e1ff363
GuLoader
9bdb2adacff9530fde8a0b020e84188b0b39995db62ba167608d8e2493bd3ee4
GuLoader
9fe616b7f813e2de5c4ebf53b624e0f1577014aae677f9f73dc99d8c1b19d140
GuLoader
cc8e7690934b9059a1613d246a6c933df5dd7b1e333038dc76f7839dcc5697cd
GuLoader
f7c8f897e59132dc4f1a8f57bb3ce13b9e72ab08fb9cc61c038f9ef618444c15
GuLoader
+ 767 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/210903-kc1v5afhgk/
Behaviour
Suspicious use of SetWindowsHookEx
Guloader,Cloudeye
Unpacked files
SH256 hash:
97cb7740ec9f0643c911e147ef1365b17babef450c76257a54b65360b8a7556b
MD5 hash:
6e60f9403fcee7cac8abbfe27ad26f9f
SHA1 hash:
b323653c46c4a37110e29ac42f73a3de43ca9645
Link:
https://www.unpac.me/results/522417bf-989b-4fd8-b57e-38877d7882ef/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/97cb7740ec9f0643c911e147ef1365b17babef450c76257a54b65360b8a7556b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 97cb7740ec9f0643c911e147ef1365b17babef450c76257a54b65360b8a7556b

(this sample)

  
Dropped by
guloader
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/185077/

Comments