MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9d7f98f32268cf0a37e645d801608ba1135ff089f48854ccfc385aefebfce25. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c9d7f98f32268cf0a37e645d801608ba1135ff089f48854ccfc385aefebfce25
SHA3-384 hash: 7efc3379fee4e1b5276cee08b2f0db02ef17b674736457230f5faa200e484aa4c53c387cc70da88336e7c5a1092a85f3
SHA1 hash: 86c1ac624d03e627ad156f659918f10ecd104f29
MD5 hash: 59dd27912b888f5ecbf8101447f01d93
humanhash: ack-saturn-sodium-mississippi
File name:41126780_Inv0ice_Confirmation.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:57'344 bytes
First seen:2020-11-06 17:21:59 UTC
Last seen:2020-11-06 19:03:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 92db29df228358763a6f930f2c79070d (2 x GuLoader)
ssdeep 768:aMJPgJ+L/1rHlW6DlTlTTTTTnWTTTTLkL5bbFv3TTTTTTTTTTTTTTTTTTTTTTTTe:aJQ/38+bFvfJCst1yr
Threatray 3'120 similar samples on MalwareBazaar
TLSH F343394FA0F4EB70E6978ABE077387AC92277C21C5109A4AED4B345F1970784D7E436A
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: mail.sweet.jp
Sending IP: 122.215.240.144
From: Zara Abad <info4u@reberauto.com>
Subject: Payment confirmation..
Attachment: 41126780_Inv0ice_Confirmation.iso (contains "41126780_Inv0ice_Confirmation.exe")

GuLoader payload URL:
https://joudex.com/nm/nov_ESYcfLslK143.bin

Intelligence

File Origin
# of uploads :
2
# of downloads :
225
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Variant.Ursu.744739.30235.5626.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/523569
Signature
Contain functionality to detect virtual machines
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential malicious icon found
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 310885 Sample: 41126780_Inv0ice_Confirmation.exe Startdate: 06/11/2020 Architecture: WINDOWS Score: 100 39 Potential malicious icon found 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->43 45 Yara detected VB6 Downloader Generic 2->45 7 41126780_Inv0ice_Confirmation.exe 2->7         started        10 AFVIKLINGSTIDSP.exe 2->10         started        12 AFVIKLINGSTIDSP.exe 2->12         started        process3 signatures4 47 Writes to foreign memory regions 7->47 49 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 7->49 51 Tries to detect Any.run 7->51 14 RegAsm.exe 1 9 7->14         started        53 Multi AV Scanner detection for dropped file 10->53 55 Tries to detect virtualization through RDTSC time measurements 10->55 57 Hides threads from debuggers 10->57 19 RegAsm.exe 1 10->19         started        process5 dnsIp6 27 joudex.com 192.129.253.234, 443, 49731, 49733 HOSTWINDSUS United States 14->27 29 192.168.2.1 unknown unknown 14->29 25 C:\Users\user\...\AFVIKLINGSTIDSP.exe, PE32 14->25 dropped 31 Contains functionality to detect hardware virtualization (CPUID execution measurement) 14->31 33 Contain functionality to detect virtual machines 14->33 35 Tries to detect Any.run 14->35 37 3 other signatures 14->37 21 conhost.exe 14->21         started        23 conhost.exe 19->23         started        file7 signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c9d7f98f32268cf0a37e645d801608ba1135ff089f48854ccfc385aefebfce25/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2020-11-06 03:10:32 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zhl7tdzse2gpbi36mroyafqixiitl7yit5eiktgpyoc257v7zysq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
2c80924676beb57ffb753a576380eed1ec48e265a7843a52b08664463d890b61
GuLoader
4320e2bf2bc6115ae79a52777bdd9aef62db691a756640f9c7fa6e8372e46193
GuLoader
46ea1705549840fd45e067930511c81a0b8979698f98e4b170b9a93b27a6ed0a
GuLoader
541c870536f63dd8b9eb7406fec6031505c59f5c21c8a6f581e5b29349a4a92b
GuLoader
54d3e50350cb0e6e43cae0d762829aeab02a389142d24d5c8d71c413e1d77842
GuLoader
a0a84ef378c8199a1b4511396d185b39d2dca86ffc608144f9d12f61d7d48cfd
GuLoader
a9e51c077a3cb18a4fbb72e9a01bdbbeac7f78da7eb0462a6c191f5956ae83a1
GuLoader
e3bb363542c6d38bc7cf43863d0247e9e9c96c5176f4c0cf4bbd3bbe2afbd31e
GuLoader
f13e6a63744c56a4815ebc9421b869c5a30a539a4053a6bf057f98cf79c06ed5
GuLoader
fff764b24ed5c9f8116b1028a39721c6c3098e0153ed368283d3f4ad4539247b
GuLoader
+ 3'110 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201106-7ql3bzmbrn/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
c9d7f98f32268cf0a37e645d801608ba1135ff089f48854ccfc385aefebfce25
MD5 hash:
59dd27912b888f5ecbf8101447f01d93
SHA1 hash:
86c1ac624d03e627ad156f659918f10ecd104f29
Link:
https://www.unpac.me/results/82def6c5-bc02-44ae-9707-f3e11fc97a0f/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

iso 5924cece5c367f5057d2d2486144b85654ec35668a58caa0a708a5593c2f283d

GuLoader

Executable exe c9d7f98f32268cf0a37e645d801608ba1135ff089f48854ccfc385aefebfce25

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/793616/
  
Dropped by
MD5 9cf472462494525c1a19ffa13e9c254d
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 5924cece5c367f5057d2d2486144b85654ec35668a58caa0a708a5593c2f283d

Comments