MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3480ae4f4ba35f9f2c70d89ad705ff9b64aab46de7e7df8942b1425d67d0eebc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 5


Intelligence 5 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3480ae4f4ba35f9f2c70d89ad705ff9b64aab46de7e7df8942b1425d67d0eebc
SHA3-384 hash: 9e50d43ec97ac63ec8ed165c3b34b419b517461981c97da53315b4ed9d66bc7dbb633a9104b0d6d13677a720cbd73542
SHA1 hash: 12ad5a2cca64e6a22752c923948d2ccf45c41fcc
MD5 hash: 5169115479eaa7b6ed82ee4baa2aea80
humanhash: louisiana-oscar-failed-arkansas
File name:rechnung.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:156'103 bytes
First seen:2020-06-03 13:39:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 87b244662c3b3d8e37b9ebb95847028d (1 x GuLoader)
ssdeep 3072:4H2P2p3J1wpfsx2lQBV+UdE+rECWp7hKt8imlD:4WP2HrBV+UdvrEFp7hKt8rx
Threatray 122 similar samples on MalwareBazaar
TLSH 89E3AE12654887E9E2D041B07C2A99156FE5A83C44DF069AB30F1B57AF7C7239ECC62F
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: dd29502.kasserver.com
Sending IP: 85.13.151.31
From: Sebastian Klein <info@klein-gala.de>
Subject: AW: AW: Zahlungsbeleg und Auftragsbestätigung 2-06-20 Rechnung_20-613129926-001
Attachment: rechnung.zip (contains "rechnung.exe")

GuLoader payload URL:
http://156.96.118.179/slxslx-2RAW_gwKBF147.bin

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Azorult
Create hunting rule
Link:
https://www.capesandbox.com/analysis/6343/
Detection(s):
MiscreantPunch.SingleXOR.EXE.197.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Virus.Floxif
Create hunting rule
Status:
Malicious
First seen:
2020-06-03 13:45:50 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
44 of 48 (91.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gsak4t2lunpz6ldq3cnnobp7tnskvndn47t57ckcwfbf2z6q526a._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
433811102726bc15416ca338a2df55ec1daaf3f2565ee00d7f6484064746fb30
GuLoader
67e4afe6e9701d2970eb3b62da0676750ba3e861801414f2036f3ec039b2e56b
GuLoader
6f2d3e1ae0ac968d44b8b5c0248734c6162a069904661dd9a19000342597d5ad
GuLoader
70d7fcf7b575d4dd4dbc398ac7f02d9acd46015541211e32a11fc7534662db74
GuLoader
849af25a67d831b8e5d90cc6e4b51014a3a4d9f474f7363865cbd98c4dc0ea5a
GuLoader
a8c03f50ff8217b8e4fe7e650360a566003875d0a943af2f2b3b895908872e4a
GuLoader
b254d7faa603b46c4c63f6d1f88d65767fb80638a000967fe527b9572b956e35
GuLoader
d6ba040d10d1fb8e0f6a8b1d5378be566f6d3816bf1a00fb3e0bb6eed29346b2
GuLoader
df6e5a970596d544e6f644924cafadda5a596e2337621ea98829bd36801fa02c
GuLoader
e7c777cc2838334214d3349178f52cd2fdce9138cbd51de1c62bcc73a3478a4f
GuLoader
+ 112 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/201109-m7mvvzl55x/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Loads dropped DLL
UPX packed file
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Malware_Floxif_mpsvc_dll
Create hunting rule
Author:Florian Roth
Description:Malware - Floxif
Reference:Internal Research
Rule name:MAL_Floxif_Generic
Create hunting rule
Author:Florian Roth
Description:Detects Floxif Malware
Reference:Internal Research
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:SUSP_Microsoft_Copyright_String_Anomaly_2
Create hunting rule
Author:Florian Roth
Description:Detects Floxif Malware
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip bf2b66a45658ffdae97a6db88d3e039ee9682eebf06e9deebdda5bb539ae40a1

GuLoader

Executable exe 3480ae4f4ba35f9f2c70d89ad705ff9b64aab46de7e7df8942b1425d67d0eebc

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/374619/
  
Dropped by
MD5 d408cac3e7c1e08bf7541fc73e7d73bd
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 bf2b66a45658ffdae97a6db88d3e039ee9682eebf06e9deebdda5bb539ae40a1
Cape
Cape
https://www.capesandbox.com/analysis/6343/

Comments