MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9d7f04210c5731d1879ba3f8c36e06dcf872b28766629225e8aa583e52a5574. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c9d7f04210c5731d1879ba3f8c36e06dcf872b28766629225e8aa583e52a5574
SHA3-384 hash: 1459a2b907b20b5a18ce7497f5d3f3f90f885f1d3286c326124a9858456e1a70a65194ea0ee6406812612ec5581528e6
SHA1 hash: b30ac83a82ee8449a9ec55b64dae7dfe4428e694
MD5 hash: f18fb522632227b5d12f4ab06c607e3d
humanhash: blossom-stairway-friend-burger
File name:4811_Invoice_confirmation.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:69'632 bytes
First seen:2021-01-04 18:01:58 UTC
Last seen:2021-01-04 19:56:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5f5d835cfb105d66fb22f8044bb8533f (4 x GuLoader)
ssdeep 1536:JQuuebxZ4uZ74rl/SlrqbJ4nR36oapO0:AK3W6lrMJ4R36oC
Threatray 2'170 similar samples on MalwareBazaar
TLSH 13633A12F250E0F1F9D38ABC09FB9E985D116D703D699983E4863B5F1BB16CE5628233
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: mail.alrashid-hospital.com
Sending IP: 80.90.163.106
From: Peter Hamilton <regi1@lifedesignmethod.jp>
Subject: 'Payment Confirmation'
Attachment: 4811_Invoice_confirmation.iso (contains "4811_Invoice_confirmation.exe")

GuLoader payload URL:
https://victoragboifo.com/ven/janomo_KcrWqE35.bin

Intelligence

File Origin
# of uploads :
2
# of downloads :
292
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4811_Invoice_confirmation.exe
Verdict:
No threats detected
Analysis date:
2021-01-04 18:09:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6117af7c-7d1c-46f4-ac19-67ca35569073

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/110431/
Detection(s):
SecuriteInfo.com.Gen.NN.ZevbaF.34700.em0@aKEfZjcb.27777.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/573655
Signature
Executable has a suspicious name (potential lure to open the executable)
Found potential dummy code loops (likely to delay analysis)
Initial sample is a PE file and has a suspicious name
Potential malicious icon found
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c9d7f04210c5731d1879ba3f8c36e06dcf872b28766629225e8aa583e52a5574/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zhl7aqqqyvzr2gdzxi7yynxanxhyokzioztcsis6rksyhzjkkv2a._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
07bea1f0f5a11fdada688ba215ee670c1a77d2f05b0e1125edaee37e66a0819c
GuLoader
087b8763410cfb653b46fd2772dbaeeceed7feeded3dad21da2a55ce2df06c7d
GuLoader
305a2d609d4d34967a53c2f44b9c48acd3e683ac3be396bdb359ba0398da7a75
GuLoader
453dacb9349991ae41f06e03837a54f188f0c60869b2bd6c187a46629d4bbd55
GuLoader
4e49f8ed15a69e1147ae9428c9e5b4d4aa928769f261627abc059d2060e94a6b
GuLoader
7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267
GuLoader
9e3ccccbdae5037867b30ec99ab71a8422ae9b0be42bf6b7ee0dddf07e4f03c0
GuLoader
ab17573224e0a8567845f69380a783a59bef1f4d3574095ce47aea7bdf760e97
GuLoader
ba7bdbafafbe370874a0a1a53e71176f76944663d6a113d5f7a673301c2c22d8
GuLoader
e8f0dd4a951cb42729e34171301bf46bd708a8c1c1c0b5b7daf2ed9036b97cca
GuLoader
+ 2'160 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210104-3h4fnay9fe/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
c9d7f04210c5731d1879ba3f8c36e06dcf872b28766629225e8aa583e52a5574
MD5 hash:
f18fb522632227b5d12f4ab06c607e3d
SHA1 hash:
b30ac83a82ee8449a9ec55b64dae7dfe4428e694
Link:
https://www.unpac.me/results/058aa95a-290f-4809-89ca-596f3ab71b1b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/c9d7f04210c5731d1879ba3f8c36e06dcf872b28766629225e8aa583e52a5574

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

iso 5ab08718d7087e98e36f753588143952250177ac8f5f341e002197f67752bce4

GuLoader

Executable exe c9d7f04210c5731d1879ba3f8c36e06dcf872b28766629225e8aa583e52a5574

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/948916/
  
Dropped by
MD5 475a7dd490c760844974da412e2f194d
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 5ab08718d7087e98e36f753588143952250177ac8f5f341e002197f67752bce4
Cape
Cape
https://www.capesandbox.com/analysis/110431/

Comments