MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab17573224e0a8567845f69380a783a59bef1f4d3574095ce47aea7bdf760e97. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ab17573224e0a8567845f69380a783a59bef1f4d3574095ce47aea7bdf760e97
SHA3-384 hash: 6b1b2719c41399345aab42e10595b01c2e8c7c2a2d8684a1a8db1ef4048a23b296a06be8bb5c1cb4bf063430e8e6517b
SHA1 hash: 5429ceb9b67938666ec3bab0dde4c3c224e3abbe
MD5 hash: f9622993d9dbc19f8fef45a01ac22c1c
humanhash: twenty-happy-delta-enemy
File name:615452_Invoice_confirmation.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:69'632 bytes
First seen:2021-01-04 13:20:44 UTC
Last seen:2021-01-04 14:29:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5f5d835cfb105d66fb22f8044bb8533f (4 x GuLoader)
ssdeep 1536:6W08f1bxeVHU1rtylPBZIZ5wLNy7Fo2fKKbzmeStk:T3lYUFtyl5sYk7FPfKgzzp
Threatray 780 similar samples on MalwareBazaar
TLSH 14631903A1A0E5F6F9C749BE0AD74FB91D117D702C658803E90A328F1F725EEA5A4736
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: mail.winpal.net
Sending IP: 210.225.196.133
From: Peter Hamilton <edl@libre-essai.net>
Subject: 'Payment Confirmation'
Attachment: 615452_Invoice_confirmation.iso (contains "615452_Invoice_confirmation.exe")

GuLoader payload URL:
https://victoragboifo.com/ven/janomo_SpclxM91.bin

Intelligence

File Origin
# of uploads :
2
# of downloads :
377
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
615452_Invoice_confirmation.exe
Verdict:
No threats detected
Analysis date:
2021-01-04 13:31:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/eb9ac307-d190-418a-ae34-7a2d67a9b7b8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/110400/
Detection(s):
SecuriteInfo.com.Gen.NN.ZevbaCO.34700.em0@aenRRFab.27453.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/573372
Signature
Executable has a suspicious name (potential lure to open the executable)
Found potential dummy code loops (likely to delay analysis)
Initial sample is a PE file and has a suspicious name
Potential malicious icon found
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ab17573224e0a8567845f69380a783a59bef1f4d3574095ce47aea7bdf760e97/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2021-01-04 13:21:07 UTC
AV detection:
11 of 29 (37.93%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vmlvomre4cufm6cf62jybj4duwn66h2ngv2asxheplvhxx3wb2lq._file
Verdict:
suspicious
Similar samples:
1de9da3a2c6effe9e9eae16a0d70fc19c633e479073f308a666665b0628e866b
GuLoader
305a2d609d4d34967a53c2f44b9c48acd3e683ac3be396bdb359ba0398da7a75
GuLoader
37a3468d527e22a4cdd0c1e8717a5bca60db2cd8aaace1a4d25b65eeccd8079c
GuLoader
4576347a3a9ee138b98c0e500c1a0c1f662fbadc6629b9bba0c855016c97a1ef
GuLoader
8556575140ee35421e573d86cf9e34e1062e3e6718e7c7b0059de1502b6d6d61
GuLoader
a49855a8a95f24d6ee35f5853e894f13be32bcc91bb076811feb3943f14bce6d
GuLoader
bf2c56fa8b5e9c316ec1dd825a2f0275bc3a8356723d7cd0ff2a3ca5166e6e52
GuLoader
e0020d5328b75c4078556d235042c3afad2b7402db2b7a375280ddf48636c5a1
GuLoader
e45b4d0e0b338b2a3875466e875b008043acf8240da0d6caa2ec14d13c02fe41
GuLoader
e8f0dd4a951cb42729e34171301bf46bd708a8c1c1c0b5b7daf2ed9036b97cca
GuLoader
+ 770 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210104-wg2ldgtj9j/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
ab17573224e0a8567845f69380a783a59bef1f4d3574095ce47aea7bdf760e97
MD5 hash:
f9622993d9dbc19f8fef45a01ac22c1c
SHA1 hash:
5429ceb9b67938666ec3bab0dde4c3c224e3abbe
Link:
https://www.unpac.me/results/a310e6c6-ace7-47fa-90ea-efee5410746b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/ab17573224e0a8567845f69380a783a59bef1f4d3574095ce47aea7bdf760e97

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

iso 8ac628b3ff10b9b840276ff6db874874f2a119d710325aec17b0a30fe80efbc8

GuLoader

Executable exe ab17573224e0a8567845f69380a783a59bef1f4d3574095ce47aea7bdf760e97

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/948781/
  
Dropped by
MD5 259d323c045939fc979b4a4154e16a0a
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/110400/
  
Dropped by
SHA256 8ac628b3ff10b9b840276ff6db874874f2a119d710325aec17b0a30fe80efbc8

Comments