MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b56be4b90db19fb53dacfc6a255dd3acddd5a72e4083c85091fc4ad1482769c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9b56be4b90db19fb53dacfc6a255dd3acddd5a72e4083c85091fc4ad1482769c
SHA3-384 hash: f3eaf2b3548cd70bd11654bd9038ffc9dee97c209a0cfb0353b491821937e32d9839838c22d243c15542d83fb453a1fc
SHA1 hash: d30ef1db2de511fec24d79c9a4c4cc5feb8e7eb6
MD5 hash: 0cd4e9bbfb1bf7684ae33ada4c733d0f
humanhash: monkey-mockingbird-july-alaska
File name:vale-remittance.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:57'344 bytes
First seen:2020-12-03 17:37:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 277010f73b829299387a797a681d7e8c (3 x GuLoader)
ssdeep 768:wkEZJDiLjwk1oozrKZM8u1tyxSk9GPHlI:REZJWfwk1aZM80yxSkwHu
Threatray 4'588 similar samples on MalwareBazaar
TLSH FB431A93E212D168F64C42B148C502645EDF6CB088559A4FA8D53A1D2AF3F963C6DFCF
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: mtlfep05.bell.net
Sending IP: 184.150.200.94
From: Vale <myguptas@glowtronics.com>
Subject: Payment Remittance Advice.
Attachment: vale-remittance.iso (contains "vale-remittance.exe")

GuLoader payload URL:
https://mindforcehypnosis.com/fas/decemberomo_kxrZEKHm235.bin

Intelligence

File Origin
# of uploads :
1
# of downloads :
343
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/106653/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Nanocore GuLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/554972
Signature
Detected Nanocore Rat
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Potential malicious icon found
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected GuLoader
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 326584 Sample: vale-remittance.exe Startdate: 03/12/2020 Architecture: WINDOWS Score: 100 40 g.msn.com 2->40 56 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->56 58 Potential malicious icon found 2->58 60 Found malware configuration 2->60 62 7 other signatures 2->62 8 vale-remittance.exe 2->8         started        11 filename1.exe 2->11         started        13 filename1.exe 2->13         started        signatures3 process4 signatures5 64 Writes to foreign memory regions 8->64 66 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 8->66 68 Tries to detect Any.run 8->68 15 RegAsm.exe 1 21 8->15         started        20 RegAsm.exe 8->20         started        70 Tries to detect virtualization through RDTSC time measurements 11->70 72 Hides threads from debuggers 11->72 22 RegAsm.exe 11 11->22         started        24 RegAsm.exe 10 13->24         started        26 RegAsm.exe 13->26         started        process6 dnsIp7 42 decemberomo.duckdns.org 185.19.85.133, 49731, 6700 DATAWIRE-ASCH Switzerland 15->42 44 mindforcehypnosis.com 67.23.254.42, 443, 49727, 49746 DIMENOCUS United States 15->44 34 C:\Users\user\subfolder1\filename1.exe, PE32 15->34 dropped 36 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 15->36 dropped 48 Tries to detect Any.run 15->48 50 Hides threads from debuggers 15->50 52 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->52 28 conhost.exe 15->28         started        54 Tries to detect virtualization through RDTSC time measurements 20->54 38 C:\Users\user\AppData\...\RegAsm.exe.log, ASCII 22->38 dropped 30 conhost.exe 22->30         started        46 192.168.2.1 unknown unknown 24->46 32 conhost.exe 24->32         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9b56be4b90db19fb53dacfc6a255dd3acddd5a72e4083c85091fc4ad1482769c/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2020-12-03 17:38:06 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tnll4s4q3mm7wu62z7dkevo5hlg52wts4qedzbijd7ck2feco2oa._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
19294a8f3982807f6119e9720e8fde7c21fdc5c13be427f2c6fd130a7b532bec
GuLoader
27a443c41d963cea02a5f71b9c71d0c48a0d3b3080fdf57597cfc1f33174b6e7
GuLoader
53b73eaf0ce8661e44d17932e6f4481f7f505ca6a4080da2e34c0085a0c7da87
GuLoader
684c43f7e479e302f4c19387be2d3b059a93ee2680379fa242b7c064913f43cf
GuLoader
6da9387b15b610559fccc33c85fc328e56089b7356952782d0cdf49a9898404c
GuLoader
720d5c1288e9cf537f8aff3cad69e7b6bbd0950240ccb40c422c4ab94f7a1b16
GuLoader
7c38d073b77ff7afc8f65aac812316d0fa9356115f1f3e78aca9fd496d177cad
GuLoader
92c9586c472eb0346e2e1423f5707e99667c7bb03f5497145b22fc1a9b3a9b77
GuLoader
c444900170cfcfffd0053d55120ef3de1a37aef88ce5a927a3312b54411a4032
GuLoader
d3b837c6df7e17d6f6ff9c20066fa5b0064408935d62bacdd4c9b5791002b941
GuLoader
+ 4'578 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201203-pt9f1z1czj/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
9b56be4b90db19fb53dacfc6a255dd3acddd5a72e4083c85091fc4ad1482769c
MD5 hash:
0cd4e9bbfb1bf7684ae33ada4c733d0f
SHA1 hash:
d30ef1db2de511fec24d79c9a4c4cc5feb8e7eb6
Link:
https://www.unpac.me/results/69396501-bfb3-4743-8625-a9e45e69d4d9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/9b56be4b90db19fb53dacfc6a255dd3acddd5a72e4083c85091fc4ad1482769c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

iso 41bc2b0c9bd4df5bdf9fda3693e23d4f25c2c6cc0f57abf8ede9c5f6c6782953

GuLoader

Executable exe 9b56be4b90db19fb53dacfc6a255dd3acddd5a72e4083c85091fc4ad1482769c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/886246/
  
Dropped by
MD5 f4fc38002260dc70c6bd85d37294bc13
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/106653/
  
Dropped by
SHA256 41bc2b0c9bd4df5bdf9fda3693e23d4f25c2c6cc0f57abf8ede9c5f6c6782953

Comments