MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a6e4d566693de23d4e9a169b765d509c634451cbb24b61ed498a593e7163ed1c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a6e4d566693de23d4e9a169b765d509c634451cbb24b61ed498a593e7163ed1c
SHA3-384 hash: 88720ab4acc469e30b1bb27faf4ac370d2d1571707ebb6b8e7e2000bd0036b7f0912ee2667b49169b31385fd189f5cd0
SHA1 hash: fc833855144fdd29d691784f17149b6f4eabf081
MD5 hash: c98abe403d21f4249de8c92a1cd0a79c
humanhash: lion-sad-six-five
File name:permisoExportacionPdfCustomsDATADELEFLAG.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:57'344 bytes
First seen:2021-02-11 10:02:47 UTC
Last seen:2021-02-11 11:59:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8730a30436e34ba42f0dc68108c13924 (2 x GuLoader)
ssdeep 768:j8KhjM02mH0K++PODLpq1EVo6VPnrKMugobH:zhqmHU+yLU1OtHw
Threatray 5'108 similar samples on MalwareBazaar
TLSH 21435C56B249F530F0B286B51A1F529C5A5E6C3078268F2F3EB43A5F2D32D9166D033B
Reporter abuse_ch
Tags:ESP exe geo GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: 16.brokerland.net
Sending IP: 159.69.76.87
From: ACER LOGISTTICA <logistica@acerlogistica.com>
Subject: Solicitud de licencia de exportación
Attachment: permisoExportacionPdfCustomsDATADELEFLAG.gz (contains "permisoExportacionPdfCustomsDATADELEFLAG.exe")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=1SGVGZumxz3_kkwczkImP3Ay1NqI81wtS

Intelligence

File Origin
# of uploads :
2
# of downloads :
141
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
permisoExportacionPdfCustomsDATADELEFLAG.exe
Verdict:
No threats detected
Analysis date:
2021-02-11 10:06:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ebf12782-a444-40d7-86a0-6cdbda4bddb5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Guloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/116768/
Detection(s):
SecuriteInfo.com.Variant.Graftor.918813.19360.2030.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/605732
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Multi AV Scanner detection for submitted file
Potential malicious icon found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a6e4d566693de23d4e9a169b765d509c634451cbb24b61ed498a593e7163ed1c/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2021-02-11 07:26:13 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=u3snkztjhxrd2tu2c2nxmxkqtrruiuolwjfwd3kjrjmt44ld5uoa._file
Verdict:
unknown
Similar samples:
1ab882dfacbd52561af0dc638b59dcaae0c738dd1d68b6eec5522b90104e23cb
GuLoader
27a443c41d963cea02a5f71b9c71d0c48a0d3b3080fdf57597cfc1f33174b6e7
GuLoader
42582301a45f364439c373addd94a25444999d6fd0c90f2678702b6909d6c413
GuLoader
53b73eaf0ce8661e44d17932e6f4481f7f505ca6a4080da2e34c0085a0c7da87
GuLoader
56b95c3399a705e1bcdc312f3c82749308279f744f1199a59e9bcb3818c194c9
GuLoader
684c43f7e479e302f4c19387be2d3b059a93ee2680379fa242b7c064913f43cf
GuLoader
720d5c1288e9cf537f8aff3cad69e7b6bbd0950240ccb40c422c4ab94f7a1b16
GuLoader
7c38d073b77ff7afc8f65aac812316d0fa9356115f1f3e78aca9fd496d177cad
GuLoader
92c9586c472eb0346e2e1423f5707e99667c7bb03f5497145b22fc1a9b3a9b77
GuLoader
c444900170cfcfffd0053d55120ef3de1a37aef88ce5a927a3312b54411a4032
GuLoader
+ 5'098 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210211-jmnlsvk9qs/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
a6e4d566693de23d4e9a169b765d509c634451cbb24b61ed498a593e7163ed1c
MD5 hash:
c98abe403d21f4249de8c92a1cd0a79c
SHA1 hash:
fc833855144fdd29d691784f17149b6f4eabf081
Link:
https://www.unpac.me/results/7dbab860-98b4-497c-a67d-42e00a3ae3ca/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

gz 322591e724900e15aee6fb3c9fb49e5a2e31ba51f729c240a5334cf6f2870520

GuLoader

Executable exe a6e4d566693de23d4e9a169b765d509c634451cbb24b61ed498a593e7163ed1c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/999487/
  
Dropped by
MD5 c44be5880870cd8743f95a9c9bd2abbb
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/116768/
  
Dropped by
SHA256 322591e724900e15aee6fb3c9fb49e5a2e31ba51f729c240a5334cf6f2870520

Comments