MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d53bb8e4561477133b4510eda133bf0740c854c587f1e3d5a676c9db33e9f818. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	d53bb8e4561477133b4510eda133bf0740c854c587f1e3d5a676c9db33e9f818
SHA3-384 hash:	d7ed65e561625478d8ccd110229d3c5700b265d5e927c3eee76d6511eab01b1f458466fc8c2471907634aa30f5800111
SHA1 hash:	96dfc8b5f7187777b175e4702eeb3356e36d120e
MD5 hash:	d8a6068852783abbb6775676f4ef37ee
humanhash:	mountain-oven-happy-wisconsin
File name:	RFQ Requirement.pdf.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	94'208 bytes
First seen:	2020-10-26 08:58:30 UTC
Last seen:	2020-10-26 19:17:15 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	02d03956d3718b494e226bdaa75e0b1f (10 x GuLoader)
ssdeep	768:OfmnMcUTHsUqea+XF78jnViIElsZiUBpMblWvcWEwZO6qZw/9zn5LvtvpAZ35/Es:2XLsF+V78UssUBKbwEWEYOKVzNtvpB
TLSH	F1930913BA5C5443D82587B47E7B8FBC4B0FFE1494821BDB21A61D9A7B396018E1F22D
Reporter	abuse_ch
Tags:	exe GuLoader

abuse_ch

Malspam distributing GuLoader:

HELO: xwx0.321.xoron.ml
Sending IP: 164.90.157.232
From: Purchase & Logistices <irenelcleung@hsbc.com.hk>
Subject: Re:RFQ Requirement
Attachment: RFQ Requirement.rar (contains "RFQ Requirement.pdf.exe")

GuLoader payload URL:
https://redesuperpops.com.br/spike/anyiba_ieUWV173.bin

Intelligence

File Origin

# of uploads :

# of downloads :

154

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/78870/

Detection(s):

SecuriteInfo.com.ArtemisD8A606885278.31710.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Threat name:

GuLoader

Detection:

malicious

Classification:

troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/511450

Signature

Found potential dummy code loops (likely to delay analysis)

Initial sample is a PE file and has a suspicious name

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected GuLoader

Yara detected VB6 Downloader Generic

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d53bb8e4561477133b4510eda133bf0740c854c587f1e3d5a676c9db33e9f818/

Threat name:

Win32.Trojan.Vebzenpak

Status:

Malicious

First seen:

2020-10-26 00:22:40 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=2u53rzcwcr3rgo2fcdw2cm57a5amqvgfq7y6hvngo3e5wm7j7ama._file

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/201026-5ljqvad8he/

Behaviour

Suspicious use of SetWindowsHookEx

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

rar 0200f999f44eb33405053f1fb8e7f49ca5558ad0605196111f1c79b752a047e2

GuLoader

exe d53bb8e4561477133b4510eda133bf0740c854c587f1e3d5a676c9db33e9f818

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/750729/

Dropped by

MD5 ae3f59caf4d7834086efc7f439b8183a

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 0200f999f44eb33405053f1fb8e7f49ca5558ad0605196111f1c79b752a047e2

Cape

https://www.capesandbox.com/analysis/78870/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample