MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c83ae5695c48f86c4a90f32a1c2e2cf93656d6880e8e5322f671ef79a98fe934. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c83ae5695c48f86c4a90f32a1c2e2cf93656d6880e8e5322f671ef79a98fe934
SHA3-384 hash: ee1df16356729e2b28a6d44527b1a31de4e604597a201d2564396f9c986ed92c823a69c3f0e7ed9edcec2639d670adcb
SHA1 hash: a42190d54492e5283a36ccbe646556efb8786b25
MD5 hash: bfc38d07f22a9d1c389b44d30ffeba86
humanhash: zebra-two-south-vegan
File name:Purchase Order.pf.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:65'536 bytes
First seen:2020-10-06 06:00:57 UTC
Last seen:2020-10-06 13:14:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b05ff7faf0ef7c5daecbf99f3a4e5a6f (6 x GuLoader)
ssdeep 768:1qE87y2yFaIgcMkjE9N44ZECYS2gI2epIT8fj:AEZFaITEFYSfgd
Threatray 2'261 similar samples on MalwareBazaar
TLSH E253D439B7C86DB2F16DBEB11AA182D90D513D703CE9458328B8377A183BB1C8D556D3
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: mail.com
Sending IP: 199.115.195.102
From: Eng. M. Husni Abdulwahab <company-procurements@mail.com>
Subject: Purchase Order
Attachment: Purchase Order.pf.z (contains "Purchase Order.pf.exe")

GuLoader payload URL:
https://onedrive.live.com/download?cid=7B6A3EE1AA3735F9&resid=7B6A3EE1AA3735F9%21117&authkey=AB1wXkw7K-sCyj8

Intelligence

File Origin
# of uploads :
3
# of downloads :
150
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68427/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/482347
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Executable has a suspicious name (potential lure to open the executable)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Potential malicious icon found
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c83ae5695c48f86c4a90f32a1c2e2cf93656d6880e8e5322f671ef79a98fe934/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2020-10-06 02:06:06 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=za5ok2k4jd4gysuq6mvbylrm7e3fnvuib2hfgixwohxxtkmp5e2a._file
Verdict:
suspicious
Similar samples:
1289d591984de5325235e57987ab171b4ae3f9d55baf3476087677805922427f
GuLoader
14eb827b600c3f7ccf2af766d0fec868e6b0467eba9264f19b75427f95ef7cfa
GuLoader
3b6460bb14fdce88ab8ec80e5cbfecbb15bbc09de1e75c51246d1c670925b340
GuLoader
50eb8b54c87303301b6614c07195bef8121ab2f99685ced448b915f9e6f0fc15
GuLoader
6964c8791bbf63ce0cf1dac7e62486fd3398d16c72774904fd3a7ca4f3957fff
GuLoader
784d9c10d108190a9e18b3d5756404a3e63fd728abd648225cbbf80c4f78fe76
GuLoader
99d07b0682434235023da65216efdcc624d66c436e80745614315d4c68e8735f
GuLoader
c845d091a060520675309673246e766d1e61bd90ee0e46e1ba46fc08e1cd1ead
GuLoader
d29fa6e0fa83a4332afc39315b3961e609bddc91c1b60590c82b009d20cd9f3a
GuLoader
ecbbdea89347df30a9575353b8886499a88d30f5606f60c922c62e4a56637c74
GuLoader
+ 2'251 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201006-plvswlgwx2/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
c83ae5695c48f86c4a90f32a1c2e2cf93656d6880e8e5322f671ef79a98fe934
MD5 hash:
bfc38d07f22a9d1c389b44d30ffeba86
SHA1 hash:
a42190d54492e5283a36ccbe646556efb8786b25
Link:
https://www.unpac.me/results/61c7b5df-4af1-43a1-b6c8-211ec3944270/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Vcrypt
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c83ae5695c48f86c4a90f32a1c2e2cf93656d6880e8e5322f671ef79a98fe934

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip ca631552241e20b52ddcfba1fe261cce6890f6ff74a773e8082f11ce49e9a96c

GuLoader

Executable exe c83ae5695c48f86c4a90f32a1c2e2cf93656d6880e8e5322f671ef79a98fe934

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/658345/
  
Dropped by
MD5 05db791ea99dce5d1044ad9bd431a952
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/68427/
  
Dropped by
SHA256 ca631552241e20b52ddcfba1fe261cce6890f6ff74a773e8082f11ce49e9a96c

Comments