MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e1c6e44bb03c1cdab3844b42f46634bd578f896373e9467ca2b8d092d047eb71. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e1c6e44bb03c1cdab3844b42f46634bd578f896373e9467ca2b8d092d047eb71
SHA3-384 hash: 1f2cb801c257191a2f538d3b4d45e062b462a5c7f5c6249c1e2b9f1de7c2aab7bc1174e1d84399f3b1fe0670cfda8523
SHA1 hash: 90f13acfe0b571568baff192f1dc7bfe1caebfdd
MD5 hash: f09e137bc28b578f42cd15712558e69b
humanhash: seven-charlie-montana-golf
File name:9287632_Invoice_confirmation.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:86'016 bytes
First seen:2021-01-14 06:57:35 UTC
Last seen:2021-01-14 08:52:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2c12527a6c6422c1c7a87cbb5eb07c60 (2 x GuLoader)
ssdeep 1536:ydx/JAHn5xNxqet9Tz0F1JmTPQnoY8QC2uyo:+Uz00jQzXnBo
Threatray 1'714 similar samples on MalwareBazaar
TLSH EC830866F294F6F1F60785BE7AE4DE680C497F300B06C907F249261D2BB99CD8520B93
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: mjrkintu.com
Sending IP: 173.230.246.112
From: "Irene David" <rector@nyengaseminary.org>
Subject: Payment Confirmation..
Attachment: 9287632_Invoice_confirmation.iso (contains "9287632_Invoice_confirmation.exe")

GuLoader payload URL:
https://www.agamagroup.com.ng/ok/janomo_wFAvdBCiy248.bin

Intelligence

File Origin
# of uploads :
2
# of downloads :
211
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9287632_Invoice_confirmation.exe
Verdict:
No threats detected
Analysis date:
2021-01-14 07:42:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/88aeab45-1ee8-42bd-9b7e-8da1f7510dcd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/111944/
Detection(s):
SecuriteInfo.com.Variant.Bulz.302514.17205.23890.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/581188
Signature
Executable has a suspicious name (potential lure to open the executable)
Found potential dummy code loops (likely to delay analysis)
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for submitted file
Potential malicious icon found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e1c6e44bb03c1cdab3844b42f46634bd578f896373e9467ca2b8d092d047eb71/
Threat name:
Win32.Trojan.Bulz
Create hunting rule
Status:
Malicious
First seen:
2021-01-14 06:58:11 UTC
AV detection:
5 of 46 (10.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4hdois5qhqonvm4ejnbpizruxvly7cldopuum7fcxdijfuch5nyq._file
Verdict:
unknown
Similar samples:
08954829f50d1aade435fefd5e50e2aee86283ab378a54243892152eded51db8
GuLoader
0cb0059baf3983db9857ea71e6bff0a572c42b2badd00bffe78ff1fdf6a1c007
GuLoader
1a4407fd45881091495f927612c7be23ab6de71949e4192cdc58154986d2c827
GuLoader
59dedb5dafe62e59eb6da5982d87b786af5a614dc7c8eac33ae32ebc0d6bc352
GuLoader
79f98a45cdf0776c1ae83a4b027ded395fe8dfc4b520f51706fc7207b1e4c630
GuLoader
bf2c56fa8b5e9c316ec1dd825a2f0275bc3a8356723d7cd0ff2a3ca5166e6e52
GuLoader
c2dd8076e0be5f411f0677f1e03f7fc9cdae5df7072200d894e7247b4a5f5a2c
GuLoader
e0020d5328b75c4078556d235042c3afad2b7402db2b7a375280ddf48636c5a1
GuLoader
e1ff1c16441255468cf921e8b9a455c957f73a2a433aa469349ee7a6d5e916b7
GuLoader
fbfebf420c076687262aa7a863151825402349231fe15f6ea52e680f19b11cfb
GuLoader
+ 1'704 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210114-8ed87lp45x/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
e1c6e44bb03c1cdab3844b42f46634bd578f896373e9467ca2b8d092d047eb71
MD5 hash:
f09e137bc28b578f42cd15712558e69b
SHA1 hash:
90f13acfe0b571568baff192f1dc7bfe1caebfdd
Link:
https://www.unpac.me/results/2663413a-965e-4adc-81b4-f307b0309564/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/e1c6e44bb03c1cdab3844b42f46634bd578f896373e9467ca2b8d092d047eb71

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

iso f421c6564e3f58386766e48d28e5f788369e82423e9619ff9775358884320d43

GuLoader

Executable exe e1c6e44bb03c1cdab3844b42f46634bd578f896373e9467ca2b8d092d047eb71

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/959919/
  
Dropped by
MD5 0b9bed151f052da8e4acab4761378864
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 f421c6564e3f58386766e48d28e5f788369e82423e9619ff9775358884320d43
Cape
Cape
https://www.capesandbox.com/analysis/111944/

Comments