MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb53256b217e27a7ab0f71be2181599a79dc0569dea7fdbc5b32cf96a6bc9109. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eb53256b217e27a7ab0f71be2181599a79dc0569dea7fdbc5b32cf96a6bc9109
SHA3-384 hash: 65af36f0a7b65ed2c91175eb55ea4997ba21a3ed328a5c985dbeb69ac4314dd619d7fb538cef18b4198f907ac62e8867
SHA1 hash: 1a1f324185e6114fb1362b00f27fe8009a202361
MD5 hash: fdec289fb4626dd56bbb55770ae5f432
humanhash: cold-arizona-washington-potato
File name:PO-A2174679-06.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:86'016 bytes
First seen:2021-02-23 07:23:27 UTC
Last seen:2021-02-23 08:45:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 40c19fc273c48bb96f5b0a0c56f8b80b (1 x GuLoader)
ssdeep 1536:WafMF8sN5NZilPSBWNBEotYaYUtl8DLogSR:WHF95ilSUNBLtYaYUt7
Threatray 4'983 similar samples on MalwareBazaar
TLSH 9A83F616FE57E118E1A9C4B2D924ADFE04092C72C1019E03B5CE7E2A36736CB85B1F5B
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: highpro1.com
Sending IP: 167.114.95.64
From: TEJ ADHIKARI <info@highpro1.com>
Subject: Re: Status of Purchase Order // A2174679-06
Attachment: PO-A2174679-06.IMG (contains "PO-A2174679-06.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
135
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/118512/
Detection(s):
SecuriteInfo.com.TR.AD.VBCryptor.dknyz.31500.24459.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
GuLoader Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/614950
Signature
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected GuLoader
Yara detected Lokibot
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eb53256b217e27a7ab0f71be2181599a79dc0569dea7fdbc5b32cf96a6bc9109/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5njsk2zbpyt2pkypog7cdakztj45yblj32t73pc3glhznjv4seeq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
1030855f4fc2a6abc876f5528638a6bc86b4380f879ba6545b99460387e2d8d9
GuLoader
233e70b105e8fe2f1e9a41b68f380359c8666cea3d9d587ec2ec823cdda2a330
GuLoader
2871ff5b986f5c582a3468cf2a6210dad8216a164b0affd7c6b11e8ef69761ec
GuLoader
3cbf0aeafec688023948cad7bf7475270ba9cb1acb0078cf1a9d6288f2751a20
GuLoader
5c8356172fa558970b2136a5284da800910c0fef74a75a7eb160874ed3edeec2
GuLoader
6141efb6f1598e2205806c5a788e61c489440dfc942984ee1688bb68ad0f18df
GuLoader
6912ec55af4079f5ed9b08502d37c0164e833a05c5ed275c6328e745016ec3e8
GuLoader
83c3850412a66c31e48de8bb8e252982f52b3482a79fadad65b48692a1030a89
GuLoader
b3cdeeeb4dbcc3f2759f6625a6a08cd7b9e9e561a4d16d5eddbea142aa04556f
GuLoader
ee41c208f648cc461bf54a5d9e40040a25e51ebde8e9721937ca152d964bb10f
GuLoader
+ 4'973 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210223-5kwk7j8kxs/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
eb53256b217e27a7ab0f71be2181599a79dc0569dea7fdbc5b32cf96a6bc9109
MD5 hash:
fdec289fb4626dd56bbb55770ae5f432
SHA1 hash:
1a1f324185e6114fb1362b00f27fe8009a202361
Link:
https://www.unpac.me/results/2f485945-9919-4a1f-9a06-598901c7acf6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/eb53256b217e27a7ab0f71be2181599a79dc0569dea7fdbc5b32cf96a6bc9109

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

img 04d08bbef9646b62d411d6d7add0b5c2ec13497d7e5a537325b6c3a31c985087

GuLoader

Executable exe eb53256b217e27a7ab0f71be2181599a79dc0569dea7fdbc5b32cf96a6bc9109

(this sample)

  
Dropped by
MD5 53d012d8af35ac0d0382d9a7fd9ab32c
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/118512/
  
Dropped by
SHA256 04d08bbef9646b62d411d6d7add0b5c2ec13497d7e5a537325b6c3a31c985087

Comments