MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d379ffe32dfb2d6d386b6d9c3cbae49e49241ac25a14d2974c286bfa45aa50b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	d379ffe32dfb2d6d386b6d9c3cbae49e49241ac25a14d2974c286bfa45aa50b9
SHA3-384 hash:	4ae520519bc3b14178058df7fd62b260008eeea1044158161580d10e926b3ed008a3c66e555d0b3627dd0c9ae426bed7
SHA1 hash:	00d6a00c2ca803b4f898d70e60c887245e1a0245
MD5 hash:	c527577c792fd2e154ee3e816750098d
humanhash:	cardinal-hot-sad-whiskey
File name:	DHL_Shipment-Notification_5596073630-QURY-93838392-27273827273-courier.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	749'344 bytes
First seen:	2022-09-22 10:27:24 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3f91aceea750f765ef2ba5d9988e6a00 (45 x GuLoader, 7 x Loki, 7 x RemcosRAT)
ssdeep	12288:3S4U2+shYdbN7t1TTO0U5vG1miy2TCjkRygfkSxAkeXpAJ1+wwJytgfw:C4X+shYdbVrTTODdJiy2Wj6yS3IGhwJG
Threatray	29 similar samples on MalwareBazaar
TLSH	T1D0F41203771C8476CD764A31CE9F97852B70AE65EA931F4723C9392A6D33340AE2E56C
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0036a6a6664cf808 (1 x GuLoader)
Reporter	abuse_ch
Tags:	DHL exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-09-21T20:04:24Z
Valid to:	2025-09-20T20:04:24Z
Serial number:	-148ba720b6d70dc4
Thumbprint Algorithm:	SHA256
Thumbprint:	7915eb94b2b9bea80eb6a71a4b5c2c886d3a86ea16b2ae1219aa6e22367d185d
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

1

# of downloads :

430

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

1

File name:

DHL_Shipment-Notification_5596073630-QURY-93838392-27273827273-courier.exe

Verdict:

Malicious activity

Analysis date:

2022-09-22 10:29:17 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/c241d3cf-4188-4c34-a969-b660561681b0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/312304/

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Creating a file

Creating a file in the %temp% subdirectories

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/38457/overview

Behaviour

MalwareBazaar

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

60%

Tags:

overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/632c392be64c53f047fd2cd9/reports/92679d6a-0ba6-43c6-ba6d-c03c40bfe52c/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/5ba5fd36-99e2-41da-971e-01c54c52062d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d379ffe32dfb2d6d386b6d9c3cbae49e49241ac25a14d2974c286bfa45aa50b9/

Threat name:

Win32.Trojan.Nemesis

Status:

Malicious

First seen:

2022-09-22 01:00:58 UTC

File Type:

PE (Exe)

Extracted files:

15

AV detection:

10 of 41 (24.39%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2n477yzn7mww2odlnwodzoxetzesigwcliknff2mfbv7urnkkc4q._file

Verdict:

malicious

Label(s):

cloudeye

Similar samples:

14c71d639d1f1bb7d988c4560419269069b0644cda9751decd84e2d968658523

2a6ce3844cb0426fefb02d57bbb8eab576d0f089231c61aa1293cf0028d1db85

55d0f43f870d3b05ad854d229889cf31b7bcce76f1d16ccdfa4fdd1cadd7397f

6ec684964e715bd7b62ec19904871853f5be9bf40dcd835c230ced852f24cc34

79e1fc85396ae65e8431f8ceb92fefb5ec396381840d830c415ea2d81cb78a49

aad3072a367a7b47c0ef0472bde70721f5aff5285dbd40310bb19c7b68ff3918

b156409f4fce371d73516dd46ea70166869f96ae8422d51389376cea77f51643

e5455a119f593253845eeec889045b9ae2d9a7cbbb016d2a2ddf2dee1db9b88c

f66863c2345452a58ba5380f393471836e66a8d8247ce320ce241cdb84808f7d

+ 19 additional samples on MalwareBazaar

Result

Malware family:

guloader

Score:

10/10

Tags:

family:guloader downloader

Link:

https://tria.ge/reports/220922-mhm8bsbbg9/

Behaviour

Enumerates physical storage devices

Drops file in Program Files directory

Drops file in Windows directory

Loads dropped DLL

Guloader,Cloudeye

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/2c6c9c5e-dbb3-4aed-8877-e7d82c13c35e

Unpacked files

SH256 hash:

1624d9ad8b2e2658af224691263f64388ba3a997efe80011889e3c35237ce4c1

MD5 hash:

6c38da8922cc37b4bbb77de4a63ad843

SHA1 hash:

4e0533fd11df8bddbd543ed58df7b6060d9f4631

Link:

https://www.unpac.me/results/b11895b1-0128-46aa-9294-a9b643ffbdec/

SH256 hash:

d379ffe32dfb2d6d386b6d9c3cbae49e49241ac25a14d2974c286bfa45aa50b9

MD5 hash:

c527577c792fd2e154ee3e816750098d

SHA1 hash:

00d6a00c2ca803b4f898d70e60c887245e1a0245

Link:

https://www.unpac.me/results/b11895b1-0128-46aa-9294-a9b643ffbdec/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.09

Link:

https://yomi.yoroi.company/submissions/d379ffe32dfb2d6d386b6d9c3cbae49e49241ac25a14d2974c286bfa45aa50b9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/312304/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample