MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d7a99f24befa69ac2bae23e028ef9342211ed018495b34b92b9e89448532584a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d7a99f24befa69ac2bae23e028ef9342211ed018495b34b92b9e89448532584a
SHA3-384 hash: 750a0e231a8d4a7d65d76b50d2bd1be929f6575d49d9aab451f2a0eac98ccd7b40373645f28d7c3a1f4f7c8d1994a1df
SHA1 hash: 3a3c252db7f45fd0a2c0baf6af74cf9484350892
MD5 hash: 7835c86a2f5eb8f9352f013a95fead18
humanhash: fillet-friend-item-texas
File name:edog.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:94'208 bytes
First seen:2020-10-26 19:17:28 UTC
Last seen:2020-10-26 20:56:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 02d03956d3718b494e226bdaa75e0b1f (10 x GuLoader)
ssdeep 1536:hTw+VA/IySg19OYuh/P3UalwSr+YOFA+7vw:VLFynsDh/P3UCwSwHo
Threatray 570 similar samples on MalwareBazaar
TLSH 96930713B85C4943D82587B8BF5B9F7C5B4FFE1464822BDB20A21DDA3B3C21A4C5E219
Reporter James_inthe_box
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
197
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/79487/
Detection(s):
SecuriteInfo.com.generic.ml.21765.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Result
Threat name:
FormBook GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/512817
Signature
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 305524 Sample: edog.exe Startdate: 27/10/2020 Architecture: WINDOWS Score: 100 29 www.helocoxint.com 2->29 31 helocoxint.com 2->31 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Yara detected GuLoader 2->43 45 5 other signatures 2->45 11 edog.exe 1 2->11         started        signatures3 process4 signatures5 55 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 11->55 57 Tries to detect Any.run 11->57 59 Tries to detect virtualization through RDTSC time measurements 11->59 61 Hides threads from debuggers 11->61 14 edog.exe 6 11->14         started        process6 dnsIp7 37 redesuperpops.com.br 192.185.216.181, 443, 49725 UNIFIEDLAYER-AS-1US United States 14->37 63 Modifies the context of a thread in another process (thread injection) 14->63 65 Tries to detect Any.run 14->65 67 Maps a DLL or memory area into another process 14->67 69 3 other signatures 14->69 18 explorer.exe 14->18 injected signatures8 process9 dnsIp10 33 dollhouse360.com 108.170.61.250, 49734, 80 SSASN2US United States 18->33 35 www.dollhouse360.com 18->35 47 System process connects to network (likely due to code injection or exploit) 18->47 22 cmd.exe 18->22         started        signatures11 process12 signatures13 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d7a99f24befa69ac2bae23e028ef9342211ed018495b34b92b9e89448532584a/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2020-10-26 19:17:24 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=26uz6jf67ju2yk5oepqcr34tiiqr5uayjfntjojlt2eujbjslbfa._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
092e73bea3484930380103be58ee944d620e754cfbd579e68c1fee773a478b7e
GuLoader
44da34c94fa3c1fbc77e4d18a745b1059db381ad4e6a025a90504b2bdfa73f18
GuLoader
5b59dac589de1279260d3b8976a210779abbb56447ca52679608357e67bc637b
GuLoader
7d37b86ad0cb4b99038a10d6f95febfd7d1e096ab7ba28c6c02ada2b128873bf
GuLoader
8a91203698a5589c1787d9fb31dbbc30ab3229a6aee56992f9186a4d4fc4ae2c
GuLoader
9d4abcc57a7136faf706c30c8d644f1ac7b38a2adcff37072a4a7c356d2b8d57
GuLoader
aef1b48a6c4077dd71346018f0fbbf86239a35f34babf980e4469da9ddbf42ac
GuLoader
d53bb8e4561477133b4510eda133bf0740c854c587f1e3d5a676c9db33e9f818
GuLoader
d74ec4c8e4b38d5258d5fcee7364b8dd0eeb165e6b0aa3edc544b160ceec7f89
GuLoader
f0b159a704857b45d6336160191150963d48aa792341b9a38834fb99881c8d31
GuLoader
+ 560 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201026-q2r8d3mdc6/
Behaviour
Suspicious use of SetWindowsHookEx
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/79487/

Comments