MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2610d4c5b099cc7e207360385822bc97ea84028ff3133317abe82be564f4e72. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b2610d4c5b099cc7e207360385822bc97ea84028ff3133317abe82be564f4e72
SHA3-384 hash: 06919e4553693a9211520b8c9f71cf212b6f9456de62527c5a44de3e72268cc3a5ed60c1df34691bd056eac76d77cf7a
SHA1 hash: fdc19d14fc1791c6c6343f5003a11271bcb6cf46
MD5 hash: bcb0fd7e9ee911c61a64fdc41ef4d499
humanhash: nine-double-king-texas
File name:bcb0fd7e9ee911c61a64fdc41ef4d499.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:69'632 bytes
First seen:2020-12-08 16:25:17 UTC
Last seen:2020-12-08 17:57:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 19a50f8a689b1fb4492b7f7bc8ae3f82 (4 x GuLoader)
ssdeep 1536:W6Y9nelnzeq99mIpDd+sVFokcyLkLRD/ol7D:WKzed0J+Y5cy4e7
Threatray 713 similar samples on MalwareBazaar
TLSH C16319165EA7BCFAC68642F12678055905C6EB239613CE0F12451E3F1D2EF85BE2622F
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
GuLoader payload URL:
https://babusubramaniam.com/binman_dVXRfLe65.bin

Intelligence

File Origin
# of uploads :
2
# of downloads :
327
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/107302/
Detection(s):
SecuriteInfo.com.Trojan.VbCrypt.1868.12119.8489.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/558186
Signature
Antivirus detection for URL or domain
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 328192 Sample: siYRtE23mD.exe Startdate: 08/12/2020 Architecture: WINDOWS Score: 100 29 www.metalkompagniet.com 2->29 39 Malicious sample detected (through community Yara rule) 2->39 41 Antivirus detection for URL or domain 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 6 other signatures 2->45 11 siYRtE23mD.exe 1 2->11         started        signatures3 process4 signatures5 55 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 11->55 57 Tries to detect Any.run 11->57 59 Tries to detect virtualization through RDTSC time measurements 11->59 61 2 other signatures 11->61 14 siYRtE23mD.exe 6 11->14         started        process6 dnsIp7 37 babusubramaniam.com 45.74.22.202, 443, 49728 HVC-ASUS United States 14->37 63 Modifies the context of a thread in another process (thread injection) 14->63 65 Tries to detect Any.run 14->65 67 Maps a DLL or memory area into another process 14->67 69 3 other signatures 14->69 18 explorer.exe 14->18 injected signatures8 process9 dnsIp10 31 www.type3cannabis.com 91.195.240.94, 49738, 80 SEDO-ASDE Germany 18->31 33 pindd10.com 180.215.222.146, 49750, 80 BCPL-SGBGPNETGlobalASNSG Singapore 18->33 35 5 other IPs or domains 18->35 47 System process connects to network (likely due to code injection or exploit) 18->47 22 chkdsk.exe 18->22         started        signatures11 process12 signatures13 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b2610d4c5b099cc7e207360385822bc97ea84028ff3133317abe82be564f4e72/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2020-12-08 16:26:05 UTC
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wjqq2tc3bgompyqhgybylarlzf7kqqbi74ytgml2x2bl4vspjzza._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
08573c8eb12aabb14b6645a6630c8ab937bc9e36e1883d23062bfca41bb438e8
GuLoader
0e160494a796043c9591b63d31e654c1c04a96bb35791b82cbd0d1827fe9bffb
GuLoader
250051d6d9bd369c1b513ab41b5f9da87b04166af831d170dcab225aa0d86913
GuLoader
2d81518e22ec06dbc7091008d55481d35fe15b3ebc931ad6960759ab11e8d4c0
GuLoader
7030c2032fc9a3b15dc8720636f25403873ca65156611b7ccaa2928d716874b3
GuLoader
7b743eec66064abd181281fa1c0d614f856ee083d23348a10c9612765342ee67
GuLoader
91941aae141a39edd148e57a59fb42f041945b9ce76c4c6679a2ddf322815301
GuLoader
c94b614af2c3809395adc81a4be8a2c90b3324656b28e242cb0a5c18ae050249
GuLoader
f58fbc11bbf63fa27f08450aebed92c1a7b48bb0b4a2140453a0d6a14a7ca67f
GuLoader
ffdd9979e0fdcddd2224f3fd431b615ad3bc4f3e9211863a2cc41892caa69586
GuLoader
+ 703 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201208-dmaj8xg37n/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
b2610d4c5b099cc7e207360385822bc97ea84028ff3133317abe82be564f4e72
MD5 hash:
bcb0fd7e9ee911c61a64fdc41ef4d499
SHA1 hash:
fdc19d14fc1791c6c6343f5003a11271bcb6cf46
Link:
https://www.unpac.me/results/251d8150-187f-4247-84a8-c70043692670/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b2610d4c5b099cc7e207360385822bc97ea84028ff3133317abe82be564f4e72

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe b2610d4c5b099cc7e207360385822bc97ea84028ff3133317abe82be564f4e72

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/898844/
  
URLhaus
https://urlhaus.abuse.ch/url/896303/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/107302/

Comments