MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aba1c467b0950b6f077dae1b48a7c73f8efa7a882b695bcf4849627a53d8c0be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aba1c467b0950b6f077dae1b48a7c73f8efa7a882b695bcf4849627a53d8c0be
SHA3-384 hash: 72ae218c7b7bbba40c88b0174da7404f2de9714f3637bf9afe13b78a4e57f44355b601c593648af7be8fa841cc468dcc
SHA1 hash: 435a1fb0a13c61306638ce15a1d4e8debed3a8c9
MD5 hash: 47b92bb86960fb07392c3a1b4431ab96
humanhash: uranus-table-friend-vermont
File name:New Sales.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:73'728 bytes
First seen:2020-11-05 15:38:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 96cf4e36f6d6288ab2f80c60297a3173 (2 x GuLoader)
ssdeep 768:Oz3ecKYK9kn4I931HeAhvbRHvEoxkE4nsoj+1S5c:Sec2Gn4I9FHpvbRP5kE4Dc
Threatray 3'057 similar samples on MalwareBazaar
TLSH 32735B417079ACBAF7B4CB31E853DABC8297BCB486528A073156261F0A337944D743AF
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: mys.mysafehostuae.com
Sending IP: 109.203.108.149
From: Anna James <support@binkamilgroup.com>
Reply-To: tramzno@gmail.com
Subject: RE: New Products Inquiry HD
Attachment: New Sales3435367388.DOC.Z.rar (contains "New Sales.exe")

GuLoader payload URL:
https://onedrive.live.com/download?cid=FB48A4C8EEABD3DA&resid=FB48A4C8EEABD3DA%211114&authkey=AE2WY5zGvoDhB0g

Intelligence

File Origin
# of uploads :
1
# of downloads :
168
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/83311/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Result
Threat name:
Nanocore GuLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/521706
Signature
Contains functionality to hide a thread from the debugger
Detected Nanocore Rat
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Potential malicious icon found
Sigma detected: NanoCore
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected GuLoader
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 309958 Sample: New Sales.exe Startdate: 05/11/2020 Architecture: WINDOWS Score: 100 36 joseedward5001.ddns.net 2->36 38 sn-files.fe.1drv.com 2->38 40 2 other IPs or domains 2->40 64 Potential malicious icon found 2->64 66 Found malware configuration 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 8 other signatures 2->70 8 New Sales.exe 1 2->8         started        11 filename1.exe 2->11         started        13 filename1.exe 2->13         started        signatures3 process4 signatures5 72 Writes to foreign memory regions 8->72 74 Tries to detect Any.run 8->74 76 Hides threads from debuggers 8->76 15 RegAsm.exe 1 17 8->15         started        20 RegAsm.exe 8->20         started        78 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 11->78 80 Tries to detect virtualization through RDTSC time measurements 11->80 22 RegAsm.exe 10 11->22         started        24 RegAsm.exe 1 13->24         started        process6 dnsIp7 42 joseedward5001.ddns.net 84.38.134.123, 1604, 49708, 49710 DATACLUBLV Latvia 15->42 44 194.5.98.100, 1604, 49705, 49706 DANILENKODE Netherlands 15->44 52 4 other IPs or domains 15->52 32 C:\Users\user\subfolder1\filename1.exe, PE32 15->32 dropped 34 C:\Users\user\AppData\Roaming\...\run.dat, data 15->34 dropped 54 Tries to detect Any.run 15->54 56 Hides threads from debuggers 15->56 58 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->58 26 conhost.exe 15->26         started        60 Tries to detect virtualization through RDTSC time measurements 20->60 62 Contains functionality to hide a thread from the debugger 20->62 46 sn-files.fe.1drv.com 22->46 48 onedrive.live.com 22->48 50 ci8epa.sn.files.1drv.com 22->50 28 conhost.exe 22->28         started        30 conhost.exe 24->30         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aba1c467b0950b6f077dae1b48a7c73f8efa7a882b695bcf4849627a53d8c0be/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2020-11-05 10:23:24 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=voq4iz5qsufw6b35vynurj6hh6hpu6uifnuvxt2ijfrhuu6yyc7a._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
0282b710d24b3d098017e3231c93e1b46bf8586a6e0cc83ec76f2a1d710c6813
GuLoader
060500558c754696c0056ec073344071c058d198ea0dba06632f93edb1276624
GuLoader
07bea1f0f5a11fdada688ba215ee670c1a77d2f05b0e1125edaee37e66a0819c
GuLoader
0a9055100b10ba145a65334aa2b316bc30722cd75539c6dcca168da6263040a6
GuLoader
26d95099636e212fccb35c4865a6aaee393079698b6c3a6f0a07ef2960a845b0
GuLoader
36c2790871534ef40e28ff56b3a7c51b38479f57a878ddef882590b8c9dd24d1
GuLoader
3f2c710a97bb42579ee2f9956437ff160a68bd787439fbc025ab3d6b46076d34
GuLoader
448379f1a0a59fa0a84180351e48559c9ed7ea6875cdd525782b714a77a2fff9
GuLoader
4acadb0925e9ed9375a93307e5fbee58a8bbefe02a97463bf45e45752a7cfe42
GuLoader
a891606327e5e625ddd626a1c63958e6575c2293bcfef7388fb803cef653f931
GuLoader
+ 3'047 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201105-c6p1pnyn56/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
aba1c467b0950b6f077dae1b48a7c73f8efa7a882b695bcf4849627a53d8c0be
MD5 hash:
47b92bb86960fb07392c3a1b4431ab96
SHA1 hash:
435a1fb0a13c61306638ce15a1d4e8debed3a8c9
Link:
https://www.unpac.me/results/4aade687-b12c-4bb4-8ffb-b110e7ae5d70/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

rar cffab59e232ab9f1773e85792cfd528d9bdd3c3790af3bb1f80011c9fa8b1391

GuLoader

Executable exe aba1c467b0950b6f077dae1b48a7c73f8efa7a882b695bcf4849627a53d8c0be

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/790127/
  
Dropped by
MD5 473268346cdc46af165d6a3961331d89
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 cffab59e232ab9f1773e85792cfd528d9bdd3c3790af3bb1f80011c9fa8b1391
Cape
Cape
https://www.capesandbox.com/analysis/83311/

Comments