MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c65e2de75fb34171072925ff6d7c2a9fa79e5d311c4296dacf7a12d524b4167d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c65e2de75fb34171072925ff6d7c2a9fa79e5d311c4296dacf7a12d524b4167d
SHA3-384 hash: 3656ccaab85b5b5082bfd9216a79e07fa5590ea2e2efa2705f14620ddc01633537eb19ce2ede6072b4bf50069b3e892c
SHA1 hash: e1712e01b0945a42e7d9b1c9dd2eca5b98c4174d
MD5 hash: 5a07a1d293ec00ef9f52f9c515c95f57
humanhash: missouri-friend-five-michigan
File name:RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:81'920 bytes
First seen:2021-01-13 20:07:13 UTC
Last seen:2021-01-13 21:59:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f08e2fa188bfdb85d74117a6c20b7544 (14 x GuLoader)
ssdeep 768:SLdB0W0HHvevgg/qb8d8XLrQF41dg74zIYBbVzM58/UFBcwF:GyNPWv/qb7XX+pw5zkt
Threatray 1'592 similar samples on MalwareBazaar
TLSH 9283E8F7DB35A81EF75AD8385F05B96C826A60E3DB0441EBEC2DA637153D3600429B0E
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: mail.facetohen.ga
Sending IP: 5.8.93.141
From: Traân troïng <sales.phatdt58@gmail.com>
Subject: REQUEST FOR QUOTATION RFQ#89234A-2021
Attachment: RFQ89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.arj (contains "RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe")

GuLoader payload URL:
https://onedrive.live.com/download?cid=A951308400164DD4&resid=A951308400164DD4%21106&authkey=APE43C5aWsOop18

Intelligence

File Origin
# of uploads :
2
# of downloads :
201
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe
Verdict:
No threats detected
Analysis date:
2021-01-13 09:17:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2e67a751-bb0f-46a0-84aa-a008af9669cf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/111834/
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Trojan.mm.30343.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/580591
Signature
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c65e2de75fb34171072925ff6d7c2a9fa79e5d311c4296dacf7a12d524b4167d/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-13 20:00:30 UTC
AV detection:
14 of 29 (48.28%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yzpc3z27wnaxcbzjex7w27bkt6tz4xjrdrbjnwwppijnkjfucz6q._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
28e01bffab6c9c78d2760e8a5d28ae229b9547930b5ff75c3f1a8d0f68701df2
GuLoader
74defd8809c3c66152c56c0f711d60e7110683784e42df2d80dcf3e30c412f6a
GuLoader
8f16e3a601a2ecbe08bb764289fc0766df7ca8e634f5490d905055be4f827364
GuLoader
9c2e8914a4d3511eaa2f69e6ab33c9ff7d760d4ebfb761b38ed56eed8fe32ddb
GuLoader
b8fb56d3c66d2b6280cf2be3fb58de14e9103989429d78861bd712479424c4f6
GuLoader
ba09c031c8345f685a7da248184f5bdec2007989bbaabe9f299b601c2734541d
GuLoader
bbe69e17d653a71131e0c9fd787429245db67bd8f432b279a85881b2b1cfbf77
GuLoader
be1d469e7f434641202ffde45e666cd4b1d255814f8cbf344a3aff1e78e86768
GuLoader
dd7268284b041dafef56b6a8a4b565b3a0c54e1eaacc68121a1688e03798e72d
GuLoader
ebc82e867e1280af5cb01ed64745b4a4e5fa48c2ea64557bbaeb7b391e852c2f
GuLoader
+ 1'582 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210113-7hlfc37xtn/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
c65e2de75fb34171072925ff6d7c2a9fa79e5d311c4296dacf7a12d524b4167d
MD5 hash:
5a07a1d293ec00ef9f52f9c515c95f57
SHA1 hash:
e1712e01b0945a42e7d9b1c9dd2eca5b98c4174d
Link:
https://www.unpac.me/results/e7d8ff33-c4da-41c8-8fb8-b38036c168b1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DriveBy Activity
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/c65e2de75fb34171072925ff6d7c2a9fa79e5d311c4296dacf7a12d524b4167d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

arj 0989e0885dee737263617ba6f55779c4b0f02e54586a5b1f139fa3eee1da1a26

GuLoader

Executable exe c65e2de75fb34171072925ff6d7c2a9fa79e5d311c4296dacf7a12d524b4167d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/952172/
  
Dropped by
MD5 e0fb5f6644b5fa56b9a7696fb582897d
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 0989e0885dee737263617ba6f55779c4b0f02e54586a5b1f139fa3eee1da1a26
Cape
Cape
https://www.capesandbox.com/analysis/111834/

Comments