MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fec8c1d5d9684d4504d77d2b9e5bc5af9b4701d3f893968bb3746c4578bbd093. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fec8c1d5d9684d4504d77d2b9e5bc5af9b4701d3f893968bb3746c4578bbd093
SHA3-384 hash: 0b63255611bc74241b51bb78ac9672879c96eb2feeed9733705d6dad84c15199f979da4c568a220e8f475f3bccba185c
SHA1 hash: a614dc45373a56cd166b1f160efe7fb4c85c14bb
MD5 hash: 29f36460405c79b1e86363f94b5a28ea
humanhash: nine-colorado-leopard-jupiter
File name:RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:81'920 bytes
First seen:2021-01-13 07:32:16 UTC
Last seen:2021-01-13 09:38:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f08e2fa188bfdb85d74117a6c20b7544 (14 x GuLoader)
ssdeep 768:MvKdvGHFEcGrd6GEj36xbpNyzrZbW5AotOuWzE:HdyFbOc36NnEW6+OFE
TLSH 29830AA1E730DF76DB4D4C3AC011F6B841B97068D6924126B07E7E5FE8A734018ADB5E
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: mail.facetohen.ga
Sending IP: 5.8.93.141
From: Traân troïng <sales.phatdt58@gmail.com>
Subject: REQUEST FOR QUOTATION RFQ#89234A-2021
Attachment: RFQ89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.arj (contains "RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe")

GuLoader payload URL:
https://onedrive.live.com/download?cid=A951308400164DD4&resid=A951308400164DD4%21106&authkey=APE43C5aWsOop18

Intelligence

File Origin
# of uploads :
2
# of downloads :
200
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe
Verdict:
No threats detected
Analysis date:
2021-01-13 09:44:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a790ea5d-a09f-4784-8bb5-b8579ba53cbe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/111721/
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Trojan.mm.29646.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/579940
Signature
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Found potential dummy code loops (likely to delay analysis)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fec8c1d5d9684d4504d77d2b9e5bc5af9b4701d3f893968bb3746c4578bbd093/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-13 01:52:17 UTC
AV detection:
3 of 44 (6.82%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=73emdvoznbgukbgxpuvz4w6fv6nuoaot7cjznc5torwek6f32cjq._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210113-2qjks8wq7j/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
fec8c1d5d9684d4504d77d2b9e5bc5af9b4701d3f893968bb3746c4578bbd093
MD5 hash:
29f36460405c79b1e86363f94b5a28ea
SHA1 hash:
a614dc45373a56cd166b1f160efe7fb4c85c14bb
Link:
https://www.unpac.me/results/af4a4e8a-6c4e-4076-a8ea-e29c8e7826e6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fec8c1d5d9684d4504d77d2b9e5bc5af9b4701d3f893968bb3746c4578bbd093

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

arj 05858812dbd7ab6bde7beb90e78adad42522eb445484776fbb74fdcb4044814d

GuLoader

Executable exe fec8c1d5d9684d4504d77d2b9e5bc5af9b4701d3f893968bb3746c4578bbd093

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/952172/
  
Dropped by
MD5 f0db385c7ea163cca8245199efc6b766
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 05858812dbd7ab6bde7beb90e78adad42522eb445484776fbb74fdcb4044814d
Cape
Cape
https://www.capesandbox.com/analysis/111721/

Comments