MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0074b4e19d6ad55ab6573d7522ead0f75a84b866611cc8133d08b5800e3bb32a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0074b4e19d6ad55ab6573d7522ead0f75a84b866611cc8133d08b5800e3bb32a
SHA3-384 hash: c60cc4d0785c9d90149bb70160b91d7761183f5904b03fba26701306ebd44daeafafad9a1561726e4f3a33a5dd6f5bd7
SHA1 hash: 7809d790017a583413222e2762ed135e0e2fe401
MD5 hash: 6b4b8bd58f14f070432e8dcd9bbfe95c
humanhash: happy-fish-oranges-paris
File name:RFQ-008A EQUIPMENT_MATERIALS SERVICES_Rev1.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:40'960 bytes
First seen:2020-10-07 04:47:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5bc0c0bbad22a8e0c850c5bf6a6271b5 (4 x GuLoader)
ssdeep 384:RhZj1eO5LuLs6jzIrLlufOpiFbT+LbRxoEHJHu2YmgCjpLAcl:RhZhBLuLJXOcGiFbyptgChAc
Threatray 2'264 similar samples on MalwareBazaar
TLSH 6E037D03E29495A2F9D947758D37FBB90A97AC301D028F1B3A883E6D6D70B419D3139E
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: iw3.ich-2.com
Sending IP: 174.142.91.160
From: Enrique Fernández Schmitz <enriquefs@groupocobra.com>
Reply-To: Enrique Fernández Schmitz <enriquefs@groupocobra.com>
Subject: EPC GERMAN LNG Terminal (HAMBURGO, GERMANY) - RFQ-008A Equipment / Material Services - COBRA
Attachment: RFQ-008A EQUIPMENT_MATERIALS SERVICES_Rev1.exe

GuLoader payload URL:
http://iykemorelinkrtyu.webredirect.org/uploud//5bab0b1d864615bab0b1d864b3/bin_vENtxdINiE236.bin

Intelligence

File Origin
# of uploads :
1
# of downloads :
156
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68743/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Result
Threat name:
FormBook GuLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/483569
Signature
Antivirus detection for URL or domain
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Potential malicious icon found
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 294227 Sample: RFQ-008A EQUIPMENT_MATERIAL... Startdate: 07/10/2020 Architecture: WINDOWS Score: 100 36 Potential malicious icon found 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus detection for URL or domain 2->40 42 10 other signatures 2->42 10 RFQ-008A EQUIPMENT_MATERIALS SERVICES_Rev1.exe 2->10         started        process3 signatures4 52 Tries to detect Any.run 10->52 54 Hides threads from debuggers 10->54 13 RFQ-008A EQUIPMENT_MATERIALS SERVICES_Rev1.exe 6 10->13         started        process5 dnsIp6 34 iykemorelinkrtyu.webredirect.org 103.125.191.94, 49715, 80 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN Viet Nam 13->34 56 Modifies the context of a thread in another process (thread injection) 13->56 58 Tries to detect Any.run 13->58 60 Maps a DLL or memory area into another process 13->60 62 3 other signatures 13->62 17 explorer.exe 13->17 injected signatures7 process8 dnsIp9 28 www.powernum123.com 107.160.215.61, 49752, 80 AS40676US United States 17->28 30 www.todosafavordomelhor.online 17->30 32 www.makblog.net 17->32 44 System process connects to network (likely due to code injection or exploit) 17->44 21 msdt.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0074b4e19d6ad55ab6573d7522ead0f75a84b866611cc8133d08b5800e3bb32a/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2020-10-07 03:00:12 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ab2ljym5nlkvvnsxhv2sf2wq65nijodgmeomqez5bc2yadr3wmva._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
1289d591984de5325235e57987ab171b4ae3f9d55baf3476087677805922427f
GuLoader
14eb827b600c3f7ccf2af766d0fec868e6b0467eba9264f19b75427f95ef7cfa
GuLoader
17314d9e48839344dafc7dbdb9af89ad08603a106fb09eda8f74af42dd8a8252
GuLoader
3b6460bb14fdce88ab8ec80e5cbfecbb15bbc09de1e75c51246d1c670925b340
GuLoader
50eb8b54c87303301b6614c07195bef8121ab2f99685ced448b915f9e6f0fc15
GuLoader
6964c8791bbf63ce0cf1dac7e62486fd3398d16c72774904fd3a7ca4f3957fff
GuLoader
784d9c10d108190a9e18b3d5756404a3e63fd728abd648225cbbf80c4f78fe76
GuLoader
99d07b0682434235023da65216efdcc624d66c436e80745614315d4c68e8735f
GuLoader
c8e91120db97c2cc33d799fb33cefcb6e199cb68c824500f22ec8fc1736a90b4
GuLoader
d29fa6e0fa83a4332afc39315b3961e609bddc91c1b60590c82b009d20cd9f3a
GuLoader
+ 2'254 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201007-p48mca9nw6/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
0074b4e19d6ad55ab6573d7522ead0f75a84b866611cc8133d08b5800e3bb32a
MD5 hash:
6b4b8bd58f14f070432e8dcd9bbfe95c
SHA1 hash:
7809d790017a583413222e2762ed135e0e2fe401
Link:
https://www.unpac.me/results/5397e819-f294-4d22-86dc-c9b39811cab9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/0074b4e19d6ad55ab6573d7522ead0f75a84b866611cc8133d08b5800e3bb32a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 0074b4e19d6ad55ab6573d7522ead0f75a84b866611cc8133d08b5800e3bb32a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/663175/
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/68743/

Comments