MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9e6cbdf027504241b57b420f6577a040d6d0a35f7df929c549182b32fc853b2d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9e6cbdf027504241b57b420f6577a040d6d0a35f7df929c549182b32fc853b2d
SHA3-384 hash: ad1ad9951cc9d7d1d459155aece215ad7f4c9512a7a9924285639f70685b07e2de16bd672d7fc76e6c452a673d4fb543
SHA1 hash: d47e4667e2cb0d3fdabcb4442564ae096b8decab
MD5 hash: aff12f438c2f001d1de6537a4f5dabc2
humanhash: snake-kilo-montana-coffee
File name:Purchase Order No. XDK-201103-004.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:118'784 bytes
First seen:2021-08-06 13:39:53 UTC
Last seen:2021-08-07 11:15:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b947ef57db12504396f2fb768b954d80 (5 x GuLoader)
ssdeep 1536:7hZqFdM9asMHTvnUEX0yvsTtCrGFVOOSV:FwFduPMHTxX0ysCtd
Threatray 1'206 similar samples on MalwareBazaar
TLSH T158C318B0F5F3A49AF215CB3E1337516BCAF378A3590E502EA4249369883598D93E4636
dhash icon 8000f2e8ccd4e8ba (5 x GuLoader)
Reporter abuse_ch
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
324
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Purchase Order No. XDK-201103-004.exe
Verdict:
No threats detected
Analysis date:
2021-08-06 13:56:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0db09745-299a-4392-b033-ef02fe05b5a9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/177028/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.2207.7205.27072.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ea51984d-25be-462e-875c-0e583f6f161b
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
evad.spre.troj.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/828321
Signature
Executable has a suspicious name (potential lure to open the executable)
GuLoader behavior detected
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: RegAsm connects to smtp port
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9e6cbdf027504241b57b420f6577a040d6d0a35f7df929c549182b32fc853b2d/
Threat name:
Win32.Trojan.VBObfuse
Create hunting rule
Status:
Malicious
First seen:
2021-08-06 13:40:19 UTC
AV detection:
19 of 46 (41.30%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tzwl34bhkbbednl3iihwk55aidlnbi27px4strkjdavtf7efhmwq._file
Verdict:
unknown
Similar samples:
26696d196e986fff9dee1658e3a502745410101d3709ec129be7d100fcd8f526
GuLoader
29bcd4f06dd92b104f47acf511a47742f03d7eca0321ad099c964954416f821d
GuLoader
4408a236c1a945807f223863ff6e940659dadb964e3cd15fffee9f9a0b4f7530
GuLoader
639c28cc97accffb8a92a13ad5056da2a739421ef4965e768fa57356a6685d19
GuLoader
6a9066b12a2f166d08dbf5dbe518236571d7a9719f09673d32080287cf23d5be
GuLoader
82e103d51a6261e2e40f59c1d4c3ba819eb02910acb85a76e0de1e739e77433e
GuLoader
895e7e85e398a6bd3615a8453c1ed21979a2676fa84af0e53077635f812b64fc
GuLoader
991289640d200976fd319f76f9acbbf7f3e304b24b5117cb8da23bcf091b2a06
GuLoader
d89afcb5a9cd0b710f6790931566822009c12fa344857e1c35791181035f21ce
GuLoader
e5a816999e872c25ee4802b2602b043aeb0660633a5fec196f6d4705799bbf62
GuLoader
+ 1'196 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/210806-2kxpyhqxje/
Behaviour
Suspicious use of SetWindowsHookEx
Guloader,Cloudeye
Unpacked files
SH256 hash:
9e6cbdf027504241b57b420f6577a040d6d0a35f7df929c549182b32fc853b2d
MD5 hash:
aff12f438c2f001d1de6537a4f5dabc2
SHA1 hash:
d47e4667e2cb0d3fdabcb4442564ae096b8decab
Link:
https://www.unpac.me/results/5bf2fa83-96a0-41d3-ad0f-521cac12434e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/9e6cbdf027504241b57b420f6577a040d6d0a35f7df929c549182b32fc853b2d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 9e6cbdf027504241b57b420f6577a040d6d0a35f7df929c549182b32fc853b2d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/177028/

Comments