MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a08f5c471f8b45f5936e088bd2834697d41df69ecc777d7e4797283471a93f96. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a08f5c471f8b45f5936e088bd2834697d41df69ecc777d7e4797283471a93f96
SHA3-384 hash: 0353faa01a36320a437c5bb48a0529e18c6176dc32edcb34fa33e24626d3506ede7adf4d86a3b2d543a5dbe35c9acfec
SHA1 hash: c732cdd4b7fa44f9141f849fc83d76f8d412c279
MD5 hash: 47ad34d64e3d6b71904310bf9572234b
humanhash: bacon-zebra-bluebird-rugby
File name:BMG BUND.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:57'344 bytes
First seen:2021-03-03 07:40:22 UTC
Last seen:2021-03-05 14:41:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 172510e706fac20ca513b1196c612fb4 (1 x GuLoader)
ssdeep 384:rpwb1GaLbXk1tYPZaLtPW3YDCF/SDtCSaovbdS0F1SBk8AybdKxHRFuv:rpwb11L9axPWoDCRBovbYD7XdEHRFu
TLSH 24431927E6C8F6C4D17CD6320CE29E6CA416ECF8104FA3426D48B65FDA71A362C557A3
Reporter abuse_ch
Tags:DEU exe geo GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: server.zullenergy.com
Sending IP: 50.7.155.26
From: Jens Spahn <jens.spahn@bmg.bund.de>
Reply-To: k1@ecg-ingenieria.mx
Subject: Federal Ministry of Health Germany
Attachment: BMG BUND.zip (contains "BMG BUND.exe")

GuLoader payload URL:
https://01677937777.burrow.io/spark/bin-ups00_cHKimre249.bin

Intelligence

File Origin
# of uploads :
4
# of downloads :
260
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
BMG BUND.exe
Verdict:
No threats detected
Analysis date:
2021-03-03 07:52:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/08054a6a-610d-4ef4-ae24-436b1a2a1692

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Guloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/121281/
Detection(s):
SecuriteInfo.com.__vbaHresultCheckObj.2782.4941.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/625647
Signature
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Potential malicious icon found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a08f5c471f8b45f5936e088bd2834697d41df69ecc777d7e4797283471a93f96/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uchvyry7rnc7le3obcf5fa2gs7kb35u6zr3x27shs4udi4njh6la._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210303-ny9ktw86kn/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
a08f5c471f8b45f5936e088bd2834697d41df69ecc777d7e4797283471a93f96
MD5 hash:
47ad34d64e3d6b71904310bf9572234b
SHA1 hash:
c732cdd4b7fa44f9141f849fc83d76f8d412c279
Link:
https://www.unpac.me/results/c9b81c06-d358-4acb-854f-a2416248d328/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/a08f5c471f8b45f5936e088bd2834697d41df69ecc777d7e4797283471a93f96

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip b80ff7bfa533e3e46e48b5898b9ba3ee06e54cd8734eceda1c9fe29283547bd4

GuLoader

Executable exe a08f5c471f8b45f5936e088bd2834697d41df69ecc777d7e4797283471a93f96

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1043813/
  
Dropped by
MD5 6ae83a160674ba23c390a4a381ef49af
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/121281/
  
Dropped by
SHA256 b80ff7bfa533e3e46e48b5898b9ba3ee06e54cd8734eceda1c9fe29283547bd4

Comments