MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df73eb67c77011507825a9f915a5b2ef04a51e071e65c87409291eabf2307e64. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: df73eb67c77011507825a9f915a5b2ef04a51e071e65c87409291eabf2307e64
SHA3-384 hash: bb1c100a4f64ea0fe32c913417aa9a033e5c697bbc01675fd42dda73ab2cf8a07877307c57b40c5bed2add1f5343b033
SHA1 hash: b6cd3e3747d1e35093cdeca39726f2e21954ccad
MD5 hash: 1f563d126e328d5f75a96738a3bfdedd
humanhash: summer-timing-magazine-fourteen
File name:1f563d126e328d5f75a96738a3bfdedd
Download: download sample
Signature GuLoader
Create hunting rule
File size:255'064 bytes
First seen:2021-07-29 10:23:17 UTC
Last seen:2021-07-29 13:05:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d4ddbfb32d829f09195ac39344cde3ef (1 x GuLoader)
ssdeep 1536:LPKJncBrYuThd3HeWv2WSeQbl4kHTdlCYi:OuVo154Sdl3i
Threatray 14 similar samples on MalwareBazaar
TLSH T1054418505BA83C66E408F837EB43B460A1B5F4B79E4C8793E4C476159CB5EB287B03DA
dhash icon e8cc8c8e8e8ecce8 (5 x GuLoader)
Reporter zbetcheckin
Tags:32 exe GuLoader signed

Code Signing Certificate

Organisation:SKJO
Issuer:SKJO
Algorithm:sha256WithRSAEncryption
Valid from:2021-07-29T08:00:45Z
Valid to:2022-07-29T08:00:45Z
Serial number: 00
Intelligence: 325 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Central Blocklist:This certificate is on the Cert Central blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 4e3145c0e02eca97154203c9c9686543a32a92226118fe058ac0e95be8847fc3
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
223
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Order 001.xlsx
Verdict:
Malicious activity
Analysis date:
2021-07-29 09:39:44 UTC
Tags:
encrypted exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/1e401783-2623-46ff-ac83-8401a9ffcd60

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/174975/
Detection(s):
SecuriteInfo.com.PWS-FCZK1F563D126E32.32076.17956.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0948f079-4537-4f2d-aa96-3212954d0a7b
Result
Threat name:
GuLoader FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/823729
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found malware configuration
GuLoader behavior detected
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 456141 Sample: m1Be7JKUv4.exe Startdate: 29/07/2021 Architecture: WINDOWS Score: 100 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 48 8 other signatures 2->48 9 m1Be7JKUv4.exe 2->9         started        process3 signatures4 50 Contains functionality to detect hardware virtualization (CPUID execution measurement) 9->50 52 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 9->52 54 Tries to detect Any.run 9->54 56 2 other signatures 9->56 12 m1Be7JKUv4.exe 6 9->12         started        process5 dnsIp6 32 kinmirai.org 133.130.104.18, 443, 49740 INTERQGMOInternetIncJP Japan 12->32 58 Modifies the context of a thread in another process (thread injection) 12->58 60 Tries to detect Any.run 12->60 62 Maps a DLL or memory area into another process 12->62 64 3 other signatures 12->64 16 cmmon32.exe 12->16         started        19 explorer.exe 12->19 injected signatures7 process8 dnsIp9 34 Modifies the context of a thread in another process (thread injection) 16->34 36 Maps a DLL or memory area into another process 16->36 38 Tries to detect virtualization through RDTSC time measurements 16->38 22 cmd.exe 1 16->22         started        26 jamiitulivu.com 162.241.224.203, 49754, 80 UNIFIEDLAYER-AS-1US United States 19->26 28 www.howtovvbucks.com 63.141.242.43, 49749, 80 NOCIXUS United States 19->28 30 17 other IPs or domains 19->30 40 System process connects to network (likely due to code injection or exploit) 19->40 signatures10 process11 process12 24 conhost.exe 22->24         started       
Gathering data
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2021-07-29 10:24:13 UTC
File Type:
PE (Exe)
Extracted files:
24
AV detection:
10 of 28 (35.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=35z6wz6hoaiva6bfvh4rljns54ckkhqhdzs4q5ajfepkx4rqpzsa._file
Verdict:
suspicious
Similar samples:
447a0d8244572bcab27cab7d54e43ac0cd4724073d6b9deb381c78d32a97b418
GuLoader
464e32b273ff94e18247402fec1445dceb07fe8ea16490038fa64b9a23672cf0
GuLoader
4bb72d11d5f81e16f5113c8dc0c59d5331e0cf61259bea30dc57143ef30856b9
GuLoader
9435308eb1024c0e11753dc2412b9243af69d7388817e3aebc59a4a58f2ec372
GuLoader
9fe616b7f813e2de5c4ebf53b624e0f1577014aae677f9f73dc99d8c1b19d140
GuLoader
d54cafc1ca36d0ddd134f53d033ebbaaa490721d62d4168106a9b6c7cfa200ba
GuLoader
+ 4 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/210729-864k2m6ahj/
Behaviour
Suspicious use of SetWindowsHookEx
Guloader,Cloudeye
Unpacked files
SH256 hash:
df73eb67c77011507825a9f915a5b2ef04a51e071e65c87409291eabf2307e64
MD5 hash:
1f563d126e328d5f75a96738a3bfdedd
SHA1 hash:
b6cd3e3747d1e35093cdeca39726f2e21954ccad
Link:
https://www.unpac.me/results/36048d84-c633-4fdf-849d-ea4ac1d70818/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/df73eb67c77011507825a9f915a5b2ef04a51e071e65c87409291eabf2307e64

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe df73eb67c77011507825a9f915a5b2ef04a51e071e65c87409291eabf2307e64

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1489573/
Cape
Cape
https://www.capesandbox.com/analysis/174975/

Comments


Avatar
zbet commented on 2021-07-29 10:23:19 UTC

url : hxxp://180.214.239.39/excel/.svchost.exe