MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ffe68860d3d4320a2152bb2f3a636eb0f484f9f81a14b112c5f349b7c3d79f76. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ffe68860d3d4320a2152bb2f3a636eb0f484f9f81a14b112c5f349b7c3d79f76
SHA3-384 hash: ff8319e3ce9c727567f96b134b0da7e6ed85645f1adfa73406cd95b9085cfe6ff9f7179fe923f79e740b19729bd5b435
SHA1 hash: 6004678e8c57bb15179d60ebff70e621eb14df99
MD5 hash: a459c1e62b17cffd674cec72dfafb55f
humanhash: solar-hydrogen-tennis-double
File name:hussan.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:81'920 bytes
First seen:2020-08-19 10:01:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c8149470224a75976a8a826a88225a14 (13 x GuLoader, 1 x FormBook, 1 x Loki)
ssdeep 768:fZxMeZ96RUP2tQ0RPMX5UBhX5HQSZl8otqMMP12yzh0C2eZ:bMeTOPPMJCX5wSofB12rC2e
Threatray 2'253 similar samples on MalwareBazaar
TLSH 01834B17B5E49AF1F77886722F689EF404EEBC305A46DD0775D83E492A33A04892532F
Reporter James_inthe_box
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
259
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/48355/
Detection(s):
SecuriteInfo.com.Variant.Midie.74532.24194.10821.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Possible injection to a system process
Unauthorized injection to a system process
Deleting of the original file
Unauthorized injection to a browser process
Result
Threat name:
FormBook GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/437360
Signature
Benign windows process drops PE files
Contains functionality to hide a thread from the debugger
Detected FormBook malware
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 271163 Sample: hussan.exe Startdate: 19/08/2020 Architecture: WINDOWS Score: 100 39 www.fxlifeapp.com 2->39 41 onedrive.live.com 2->41 43 6jqiyg.db.files.1drv.com 2->43 53 Malicious sample detected (through community Yara rule) 2->53 55 Yara detected GuLoader 2->55 57 Yara detected Generic Dropper 2->57 59 3 other signatures 2->59 11 hussan.exe 1 2->11         started        signatures3 process4 signatures5 73 Tries to detect Any.run 11->73 75 Tries to detect virtualization through RDTSC time measurements 11->75 77 Hides threads from debuggers 11->77 79 Contains functionality to hide a thread from the debugger 11->79 14 hussan.exe 6 11->14         started        process6 dnsIp7 49 onedrive.live.com 14->49 51 6jqiyg.db.files.1drv.com 14->51 81 Modifies the context of a thread in another process (thread injection) 14->81 83 Tries to detect Any.run 14->83 85 Maps a DLL or memory area into another process 14->85 87 3 other signatures 14->87 18 explorer.exe 1 6 14->18 injected signatures8 process9 dnsIp10 45 www.stalbertslab.com 192.185.4.96, 49744, 49745, 49746 UNIFIEDLAYER-AS-1US United States 18->45 47 www.starryskyeducation.net 120.27.20.217, 49743, 80 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 18->47 33 C:\Users\user\AppData\Local\...\winvbnh.exe, PE32 18->33 dropped 61 System process connects to network (likely due to code injection or exploit) 18->61 63 Benign windows process drops PE files 18->63 23 msdt.exe 1 17 18->23         started        27 winvbnh.exe 1 18->27         started        file11 signatures12 process13 file14 35 C:\Users\user\AppData\...3558logrv.ini, data 23->35 dropped 37 C:\Users\user\AppData\...3758logri.ini, data 23->37 dropped 65 Detected FormBook malware 23->65 67 Tries to steal Mail credentials (via file access) 23->67 69 Tries to harvest and steal browser information (history, passwords, etc) 23->69 71 3 other signatures 23->71 29 cmd.exe 1 23->29         started        signatures15 process16 process17 31 conhost.exe 29->31         started       
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ffe68860d3d4320a2152bb2f3a636eb0f484f9f81a14b112c5f349b7c3d79f76/
Threat name:
Win32.Infostealer.PonyStealer
Create hunting rule
Status:
Malicious
First seen:
2020-08-19 01:37:51 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=77tiqygt2qzauiksxmxtuy3owd2ij6pydiklcewf6ne3pq6xt53a._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
0bf6ccdd920a50186f7318c51564ecc8f502302b084a5fda3feadb0d51e40f24
GuLoader
1e82d551bb0693edad6a527c0355b59476d25afc326168b616205fe186ca5a30
GuLoader
46c1beb680fee0894d6a58d53ee86faeb9dfa24db88f178580dfbd1385e4c581
GuLoader
5bd5a94befaf51c0702273d144aa5d31fc88e7f677ea33ea98408450e1b535d7
GuLoader
70ecffff57ecd39682bc7de003d937b43d0b0c9bfaadd315d236627475608e54
GuLoader
7346b3b5523c501e13b4ad1e8ebd685711bc168135f818685b9937d19304883b
GuLoader
7eb341c011c4ea364ef927cfc57ac980111e9c49012834c3760896fec7f04d52
GuLoader
887de911a26e0008429adcba8abc212d36423fae62d40aa1df57e2883db77d45
GuLoader
8f06b49b371c6b257b716689b767ebf4bbc75391d0cf152b9bbe498ef55d017c
GuLoader
e224e30554ce3a83c6ef2ca1c81b50ca377486f55bed19078658578bbef844f0
GuLoader
+ 2'243 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat spyware trojan stealer family:formbook persistence
Link:
https://tria.ge/reports/200819-acby4h4yd2/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Gathers network information
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.joomlas123.com/xus6/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/48355/
  
URLhaus
https://urlhaus.abuse.ch/url/436412/

Comments