MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5d510179ab07f09c10cfa2ea9d95346fb696afd3f642af2882b3f4cd16d3ff5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b5d510179ab07f09c10cfa2ea9d95346fb696afd3f642af2882b3f4cd16d3ff5
SHA3-384 hash: 325b0778d9b6bace861de2482414f00611e91574ff7d6fb4264795fec98c747c755469aeefb97c46b7c2fa3b586469a1
SHA1 hash: 76bacc8c5fbbf675399c39c42565dfc3d77be98b
MD5 hash: e18dbe57194dd717d54a907ba8e6d3e1
humanhash: eight-london-massachusetts-oranges
File name:e18dbe57194dd717d54a907ba8e6d3e1.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:131'072 bytes
First seen:2021-02-24 07:29:18 UTC
Last seen:2021-02-24 10:50:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash cc882d101998a701353b40b0cd8c341a (6 x GuLoader, 1 x Formbook)
ssdeep 1536:uWWTwV4fVhuoUaaAAwT4uv65YEWDTkIlmak5AEivuxVQwV4MjW:2wVUPOpUlviYEWnkIlmak5zivQqwV
Threatray 4'961 similar samples on MalwareBazaar
TLSH C3D34A7133B5E873F4A527365A01C3F40B08AFABCD62450721B87A1EAE74A416771EF6
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
GuLoader payload URL:
https://onedrive.live.com/download?cid=802AC8A73EEC8C8E&resid=802AC8A73EEC8C8E%21110&authkey=AK1w6-P-WtoHRz4

Intelligence

File Origin
# of uploads :
2
# of downloads :
160
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909_RAW.doc
Verdict:
Malicious activity
Analysis date:
2021-02-24 06:30:54 UTC
Tags:
ole-embedded exploit CVE-2017-11882
Link:
https://app.any.run/tasks/bd1fe854-84f7-40c4-b411-4eeb93d91af3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Guloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/118886/
Detection(s):
SecuriteInfo.com.W32.AIDetectGBM.malware.01.20080.22521.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Nanocore GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/616354
Signature
C2 URLs / IPs found in malware configuration
Detected Nanocore Rat
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected GuLoader
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 357184 Sample: V33QokMrIv.exe Startdate: 24/02/2021 Architecture: WINDOWS Score: 100 57 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->57 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 8 other signatures 2->63 8 V33QokMrIv.exe 1 2->8         started        11 RegAsm.exe 4 2->11         started        14 dhcpmon.exe 4 2->14         started        16 3 other processes 2->16 process3 file4 73 Writes to foreign memory regions 8->73 75 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 8->75 77 Tries to detect Any.run 8->77 79 2 other signatures 8->79 18 RegAsm.exe 2 23 8->18         started        23 taskhostw.exe 8->23         started        49 C:\Users\user\AppData\...\RegAsm.exe.log, ASCII 11->49 dropped 25 conhost.exe 11->25         started        27 conhost.exe 14->27         started        29 conhost.exe 16->29         started        signatures5 process6 dnsIp7 51 194.5.98.202, 4488, 49766, 49767 DANILENKODE Netherlands 18->51 53 onedrive.live.com 18->53 55 2 other IPs or domains 18->55 41 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 18->41 dropped 43 C:\Users\user\AppData\Local\...\tmp7CFF.tmp, XML 18->43 dropped 45 C:\Users\user\subfolder1\filename1.exe, PE32 18->45 dropped 47 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->47 dropped 65 Tries to detect Any.run 18->65 67 Tries to detect virtualization through RDTSC time measurements 18->67 69 Hides threads from debuggers 18->69 71 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->71 31 schtasks.exe 1 23->31         started        33 schtasks.exe 1 23->33         started        35 conhost.exe 23->35         started        file8 signatures9 process10 process11 37 conhost.exe 31->37         started        39 conhost.exe 33->39         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b5d510179ab07f09c10cfa2ea9d95346fb696afd3f642af2882b3f4cd16d3ff5/
Threat name:
Win32.Trojan.Razy
Create hunting rule
Status:
Malicious
First seen:
2021-02-24 01:47:10 UTC
AV detection:
7 of 48 (14.58%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wxkraf42wb7qtqim7ixktwkti35ws2x5h5scv4uifm7uzulnh72q._file
Verdict:
unknown
Similar samples:
0074b4e19d6ad55ab6573d7522ead0f75a84b866611cc8133d08b5800e3bb32a
GuLoader
17314d9e48839344dafc7dbdb9af89ad08603a106fb09eda8f74af42dd8a8252
GuLoader
182b2d026edb387534dda66711ee6f9050bc8ed871d0ebb71a96f0b18498ba24
GuLoader
1de9da3a2c6effe9e9eae16a0d70fc19c633e479073f308a666665b0628e866b
GuLoader
21afff77ea0ce89dca2d925ed0d8b5a61f7ab42ca9aca78019843e9e251bbcb3
GuLoader
5278046daacc4237354be9a2b1094f6a9467e317b17c959c772ed5a86e25d737
GuLoader
7c38d073b77ff7afc8f65aac812316d0fa9356115f1f3e78aca9fd496d177cad
GuLoader
b8709a0d94df64f37f997373ca3686aa4071ce1da9a407bcfee2fdb0ce9d096c
GuLoader
e45b4d0e0b338b2a3875466e875b008043acf8240da0d6caa2ec14d13c02fe41
GuLoader
ed081d99724673a343863138b3eac0fbe402c8ba256cc466c535d3e7133187d1
GuLoader
+ 4'951 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210224-gqq6fv2182/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
b5d510179ab07f09c10cfa2ea9d95346fb696afd3f642af2882b3f4cd16d3ff5
MD5 hash:
e18dbe57194dd717d54a907ba8e6d3e1
SHA1 hash:
76bacc8c5fbbf675399c39c42565dfc3d77be98b
Link:
https://www.unpac.me/results/a94701f4-0f55-48e6-8882-152c5e3ad0c3/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe b5d510179ab07f09c10cfa2ea9d95346fb696afd3f642af2882b3f4cd16d3ff5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1026928/
Cape
Cape
https://www.capesandbox.com/analysis/118886/
  
URLhaus
https://urlhaus.abuse.ch/url/1026925/
  
Delivery method
Distributed via web download

Comments