MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1e3b707a5373604e727627fe3d0659eec90d1ee0908c8c32cc4f95600b05d9d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b1e3b707a5373604e727627fe3d0659eec90d1ee0908c8c32cc4f95600b05d9d
SHA3-384 hash: 0b2a41a4cea96612ff259096ffece2a81230f678fd323cc929028e043291afbc959b1293f87ce60342c5c5f7b0c009f5
SHA1 hash: b77e57afdc6d746ef322f3978f063032a30d1a72
MD5 hash: 7932384c43524a333227791aa3186be4
humanhash: fanta-beryllium-floor-earth
File name:ANGEBOTSANFORDERUNG.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:282'624 bytes
First seen:2021-07-23 22:11:01 UTC
Last seen:2021-07-26 06:22:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4d855772c2abd948c289c2a8f8005cb9 (3 x GuLoader)
ssdeep 6144:EiUCxNRbEWU6lMKI0ruSDNpDUuq/BtHP:/xN59U6qKFKSBpg
Threatray 5'351 similar samples on MalwareBazaar
TLSH T15054B31C2312F017FA51C4BB3405F22B64191D77912CCE46BA8C1E7BE4A61F3A6BBAD1
dhash icon 72e8d4ccf4d4e8b0 (5 x GuLoader)
Reporter Racco42
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
3
# of downloads :
232
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ANGEBOTSANFORDERUNG.exe
Verdict:
No threats detected
Analysis date:
2021-07-23 22:12:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/557d8576-9810-4ae4-a11c-45145b2eab6e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/173783/
Detection(s):
SecuriteInfo.com.__vbaHresultCheckObj.11538.11639.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5bacc53f-4f5c-4da6-9277-6a0730e45063
Result
Threat name:
GuLoader Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/821089
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found malware configuration
GuLoader behavior detected
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected GuLoader
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b1e3b707a5373604e727627fe3d0659eec90d1ee0908c8c32cc4f95600b05d9d/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2021-07-23 22:11:04 UTC
AV detection:
15 of 46 (32.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=whr3ob5fg43ajzzhmj76hudft3wjbupobeemrqzmyt4vmafqlwoq._file
Verdict:
suspicious
Similar samples:
0afe73609922b94ffb25f673db3b621befab30c7f52cd586497b63f8154dbd6d
GuLoader
0d0ec5da4b48240427f7df80e2d144e6eba3f4bc8527608f5f515c500f4ccc96
GuLoader
24c6fcb3f26697d826a4c1899bdb9a7368ae336046c1028a6e53a9f17a5186af
GuLoader
396c661ffc736d98af8dfbb324b5a67ec3feb379579969b22b6ffc61d60e4ef4
GuLoader
464e32b273ff94e18247402fec1445dceb07fe8ea16490038fa64b9a23672cf0
GuLoader
893033ccdb5795d90f5cad3d4e2121307a9f18b05f74c39970395a2f1a6a40ec
GuLoader
a7187cba00f1ecf7d0ce8758c9376610eb513869152e7b4bd28e711f6b440053
GuLoader
b59374ff4efaa214c04a353aa3cf500ca22c43b63f27d0c3fb0495bd942ac734
GuLoader
e8aea93df30f3e8bd0542030dc4c31c561bdcd1e176a9835372a7d3508750ccf
GuLoader
fe7ecd7256cc42ce91c14e30096c2d220aa5f0eeb77eaf7153ea34f9d4b3af8b
GuLoader
+ 5'341 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/210723-cg3cpxfhgx/
Behaviour
Suspicious use of SetWindowsHookEx
Guloader,Cloudeye
Unpacked files
SH256 hash:
b1e3b707a5373604e727627fe3d0659eec90d1ee0908c8c32cc4f95600b05d9d
MD5 hash:
7932384c43524a333227791aa3186be4
SHA1 hash:
b77e57afdc6d746ef322f3978f063032a30d1a72
Link:
https://www.unpac.me/results/91434e49-230e-43fc-85b5-939241ff0bed/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/b1e3b707a5373604e727627fe3d0659eec90d1ee0908c8c32cc4f95600b05d9d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe b1e3b707a5373604e727627fe3d0659eec90d1ee0908c8c32cc4f95600b05d9d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/173783/

Comments