MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae6a500ab45e86279c34a92c49d12f73716f0a492075180cdad48a761bf38b49. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	ae6a500ab45e86279c34a92c49d12f73716f0a492075180cdad48a761bf38b49
SHA3-384 hash:	6e7e6e56f692fa97add3e9d0bc59757aea1f627e81f18f35598a1f5a17362cef5af7cc95203b7a5794d263552c4f47ca
SHA1 hash:	41a2bc145326728d8ece91a8fca79b93f9a79eca
MD5 hash:	7febbbdad91d543bb1893577c0d9afa5
humanhash:	stream-utah-burger-table
File name:	ekstre_04-08-2020.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	102'400 bytes
First seen:	2020-08-04 15:22:43 UTC
Last seen:	2020-08-04 15:56:33 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	b14fbce5f9f9bc107756ce22e4e7feb2 (1 x GuLoader)
ssdeep	768:m1JflGmz9dwkuGcUQRyjQOZ8uTMXCzmq8Ukt2c2P/Q7s+7RFJ:m1dl/yRyjQgPXmqTktnuiRF
Threatray	1'626 similar samples on MalwareBazaar
TLSH	03A3D816A5E84639F2A7DF714D7446F7417DBC38382EC98B4EE4399A37B3E048610A27
Reporter	abuse_ch
Tags:	exe geo GuLoader TUR ZiraatBank

abuse_ch

Malspam distributing GuLoader:

HELO: neo.composeit.hu
Sending IP: 185.51.67.119
From: ZIRAAT BANKASI <zb.ekstria@ileti.ziraatbank.com.tr>
Subject: T.C. Ziraat Bankasi Hesap Ekstresi
Attachment: ekstre_04-08-2020.iso (contains "ekstre_04-08-2020.exe")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=1eKHAR39_MoPcZq3VOS2AFZ752tgRSw4I

Intelligence

File Origin

# of uploads :

2

# of downloads :

155

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/38810/

Detection(s):

SecuriteInfo.com.Variant.Graftor.808153.2132.31817.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Threat name:

GuLoader

Detection:

malicious

Classification:

troj.evad

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/409690

Signature

Contains functionality to hide a thread from the debugger

Hides threads from debuggers

Tries to detect Any.run

Tries to detect virtualization through RDTSC time measurements

Yara detected GuLoader

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ae6a500ab45e86279c34a92c49d12f73716f0a492075180cdad48a761bf38b49/

Threat name:

Win32.Trojan.Vebzenpak

Status:

Malicious

First seen:

2020-08-04 15:24:09 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=vzvfacvul2dcphbuvewetujponyw6csjeb2rqdg22sfhmg7trneq._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

guloader

Similar samples:

045a0ca823585d73272d70c8b35e6a91c0fcbe5221a088f48db5e613a67be2a5

4b610516f134b6efb2100a2e298a70b573be1cd6c4d653af007b907f11ff065e

58faef99e4fcfd4f1b48907d4dcc145c0aa1013e43d938abd7a164ff46104975

6ba2ab2afade3c48fb86ce5290a0980f19e901117033cb723cfd48b3ab2c6888

8b791216101006bea031bc4ff657001f95cd58ed1db4429a242d79050f947d40

ad64a6eaa5d2494a4161158792e7cde3fb7d9a7bd36f06cc0de271192582f439

b666f8a605a45edebf5a3980675d00b84343a9b3c7a6d00fb90c37f40b55ac57

bee2e75a7187b8d59c62e37425a14998512cdc6d5cf0023151ad071f0750f4c7

cc5bec641350dbb0a00bd08c0c6d7b8e1b7f4d486a1319a0c09a9f7e9c7f4a0c

eec46d65be09a86f25c891d462671a7a0b3140ee4a8a6ac0a9fa7e1c56a8cb40

+ 1'616 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/200804-lgg65d2bzx/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of SetWindowsHookEx

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Cryptor

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ae6a500ab45e86279c34a92c49d12f73716f0a492075180cdad48a761bf38b49

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

iso bda0bad16ddc0185ec8ff422e9e74c5f526993ea439f6f3da242e21ade712e98

exe ae6a500ab45e86279c34a92c49d12f73716f0a492075180cdad48a761bf38b49

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/424345/

Dropped by

MD5 2cde13dcfd40676e54eb265ebee26316

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/38810/

Dropped by

SHA256 bda0bad16ddc0185ec8ff422e9e74c5f526993ea439f6f3da242e21ade712e98

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample