MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9dad25bb4c66c85c54da83d5c2ed752ed7c3452863fc4b46bda7cf440fef509b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9dad25bb4c66c85c54da83d5c2ed752ed7c3452863fc4b46bda7cf440fef509b
SHA3-384 hash: 467cb2ecb65a8883f0fa9fbf6f2a55276496d77b31b63e9136787ea4c6f0b8d7e62f933bf4b0429ab6c75c1d8da66cd0
SHA1 hash: ac7f647322c4e9fbfa16346fef76380889afd54a
MD5 hash: d3a121ef260799d4f5875d3b0a668f20
humanhash: bacon-paris-venus-robert
File name:list.dwg.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:110'592 bytes
First seen:2020-06-03 13:03:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a7c724bc9af09d01563411d4e66e0214 (1 x GuLoader)
ssdeep 1536:nLSPfxV40Wv/0HYmkgrKHxLdGKc+o0FDHdZ1gI0S8lq5h8QF:nOPXS/04oKVdhjFD9zevQF
Threatray 1'005 similar samples on MalwareBazaar
TLSH 5BB37B03EC8D8653D1548BBC2E179DB93A0DB90E0D445FDF75399EABAE312422CA711E
Reporter abuse_ch
Tags:exe geo GuLoader KOR


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: mail-smail-vm49.hanmail.net
Sending IP: 203.133.180.237
From: 로이 유 <nare1430@hanmail.net>
Subject: 견적요청의 件:HYUNDAI MASS QUARANTREAT PROJECT
Attachment: HYUNDAI MASS QUARANTREAT PROJECT.dwg.iso (contains "list.dwg.exe")

GuLoader payload URL:
http://ekenefb34logs.webredirect.org/uploud/5bab0b1d864615bab0b1d864b3/smik_DmaNZPfC106.bin

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/6268/
Detection(s):
Win.Dropper.NetWire-7996875-0
Create hunting rule

Win.Malware.Razy-7997182-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2020-06-03 13:21:05 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
22 of 31 (70.97%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=twwslo2mm3efyvg2qpk4f3lvf3l4grjimp6ewrv5u7huid7pkcnq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
17f52dbf63e20cb471e6da579551830186446d814a14162ec3569c62fb6f0771
GuLoader
3e3529db8cde73fcdb792f6414ebe6fb9a6ec5ba5cf5f503376a795387b2020e
GuLoader
639c28cc97accffb8a92a13ad5056da2a739421ef4965e768fa57356a6685d19
GuLoader
6535df8dcbd659939c18a93ee2b58e8ef05898e1baa30932cf3cfa876659d183
GuLoader
7d110a4f6f206b5fb49742150bdbd7ffc43b29a5b2fa32424ef32aa20c4696f8
GuLoader
93dc44981a771519cbdf592c8391ada5234cd2f6c19fc0bb4b3233867db9a345
GuLoader
c8bdfc9eea22464897b3dae7829464348f27a1ff1989cf33d1de95bc0a99527f
GuLoader
c8e91120db97c2cc33d799fb33cefcb6e199cb68c824500f22ec8fc1736a90b4
GuLoader
ca1db184290b274c1f78b091bf019926fa258dd8b1f5bb316a55832aec970338
GuLoader
d2e24bc0bcfa7c04b2e8a382a6ead3200ca865a771144d29d778af86559cb0ae
GuLoader
+ 995 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-6p9v97rmr6/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

iso 1333e9df14cf720e51b08eb87e2e900f049ea6af4a8cf0cb94a49887918b3241

GuLoader

Executable exe 9dad25bb4c66c85c54da83d5c2ed752ed7c3452863fc4b46bda7cf440fef509b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/374147/
  
Dropped by
MD5 0ad977fdf62a902488556f47b4ab1e58
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 1333e9df14cf720e51b08eb87e2e900f049ea6af4a8cf0cb94a49887918b3241
Cape
Cape
https://www.capesandbox.com/analysis/6268/

Comments