MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fae8f28a64d1321bc7c90bdadca9edb951cc115bad51fde5347a85d8a6708d3e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fae8f28a64d1321bc7c90bdadca9edb951cc115bad51fde5347a85d8a6708d3e
SHA3-384 hash: c5f1833c51d6e441fbeefbe52ebe6ff6a8183245bc658ce640d9b8a4ef02d2a9d319fe9396b5f3db224c88972a5c81a1
SHA1 hash: 57e657a6b8070def47082e8312a6412c0a985be1
MD5 hash: 3a701fa51d7e07891a057861cdcae660
humanhash: winner-zebra-diet-lamp
File name:RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:81'920 bytes
First seen:2021-01-14 06:56:47 UTC
Last seen:2021-01-14 08:53:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f08e2fa188bfdb85d74117a6c20b7544 (14 x GuLoader)
ssdeep 768:0OjJ5DDIX8i55lTu0ZnFFoJAWFCrcKYLIleMQt:VLIXjjtu+FFQaZe3t
Threatray 4'530 similar samples on MalwareBazaar
TLSH C4830BE4FB799C57FA86B5380011B2FC82424060D514C72AB82AFD2F59533F166E8BDE
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: vm1756875.nvme.had.yt
Sending IP: 185.209.23.184
From: Traân troïng <sales.phatdt58@gmail.com>
Subject: REQUEST FOR QUOTATION (RFQ#38787-A)
Attachment: RFQ89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.arj (contains "RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe")

GuLoader payload URL:
https://onedrive.live.com/download?cid=A951308400164DD4&resid=A951308400164DD4%21106&authkey=APE43C5aWsOop18

Intelligence

File Origin
# of uploads :
2
# of downloads :
175
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe
Verdict:
No threats detected
Analysis date:
2021-01-14 07:04:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/579f965e-d7d1-4439-ab3f-e43222ad514e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/111940/
Detection(s):
SecuriteInfo.com.Variant.Midie.78372.12825.2859.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/581197
Signature
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fae8f28a64d1321bc7c90bdadca9edb951cc115bad51fde5347a85d8a6708d3e/
Threat name:
Win32.Infostealer.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-14 00:52:35 UTC
AV detection:
1 of 46 (2.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7lupfcte2ezbxr6jbpnnzkpnxfi4yek3vvi73zjupkc5rjtqru7a._file
Verdict:
unknown
Similar samples:
28e01bffab6c9c78d2760e8a5d28ae229b9547930b5ff75c3f1a8d0f68701df2
GuLoader
74defd8809c3c66152c56c0f711d60e7110683784e42df2d80dcf3e30c412f6a
GuLoader
8f16e3a601a2ecbe08bb764289fc0766df7ca8e634f5490d905055be4f827364
GuLoader
9c2e8914a4d3511eaa2f69e6ab33c9ff7d760d4ebfb761b38ed56eed8fe32ddb
GuLoader
b8fb56d3c66d2b6280cf2be3fb58de14e9103989429d78861bd712479424c4f6
GuLoader
ba09c031c8345f685a7da248184f5bdec2007989bbaabe9f299b601c2734541d
GuLoader
bbe69e17d653a71131e0c9fd787429245db67bd8f432b279a85881b2b1cfbf77
GuLoader
be1d469e7f434641202ffde45e666cd4b1d255814f8cbf344a3aff1e78e86768
GuLoader
dd7268284b041dafef56b6a8a4b565b3a0c54e1eaacc68121a1688e03798e72d
GuLoader
ebc82e867e1280af5cb01ed64745b4a4e5fa48c2ea64557bbaeb7b391e852c2f
GuLoader
+ 4'520 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210114-5dzv1jxy86/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
fae8f28a64d1321bc7c90bdadca9edb951cc115bad51fde5347a85d8a6708d3e
MD5 hash:
3a701fa51d7e07891a057861cdcae660
SHA1 hash:
57e657a6b8070def47082e8312a6412c0a985be1
Link:
https://www.unpac.me/results/5823446b-02a4-4edf-b1bb-25ab49774985/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Cryptor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fae8f28a64d1321bc7c90bdadca9edb951cc115bad51fde5347a85d8a6708d3e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

arj a742ca94da38331e18967b9ff230167d7893c643ff935ce8be4d05ae2c18983c

GuLoader

Executable exe fae8f28a64d1321bc7c90bdadca9edb951cc115bad51fde5347a85d8a6708d3e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/952172/
  
Dropped by
MD5 8ae5442fd018a4af5544fa0b2e98602a
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/111940/
  
Dropped by
SHA256 a742ca94da38331e18967b9ff230167d7893c643ff935ce8be4d05ae2c18983c

Comments