MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 03acd465f7023bd71c2eb105b5b78a377bdeff030fa56c85d0163411d9413d6b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 03acd465f7023bd71c2eb105b5b78a377bdeff030fa56c85d0163411d9413d6b
SHA3-384 hash: e8fdb84c50d93a1c9c097edd8c41bec825b9147674831b6696ea4724079723bb2203c06c79846ff598cca20ac368e751
SHA1 hash: 3ebf96fa486721d2ee7f8a5bb8bca210ecdef0ff
MD5 hash: 26264e5091cd39731554f32ea6044817
humanhash: april-echo-bravo-crazy
File name:upro.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:151'552 bytes
First seen:2020-05-08 08:57:08 UTC
Last seen:2020-05-08 12:03:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e5294d176ce81bd6bb27c16b59e22557 (1 x GuLoader)
ssdeep 768:o0klbXKR9UqpZCOySNsgULpo9HWxpTzf6ylp/VFfIgn3OMEpErc3yD9ga1txbC5t:S1OySNsP2sTb6yFfIg8P3yD28xb0UAZ
Threatray 278 similar samples on MalwareBazaar
TLSH DEE3FD457564DC6DF9007632D3EAB2AFEB08DDB5E936454F2072BD0A2F31D012DE2A29
Reporter abuse_ch
Tags:GuLoader nVpn RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: mta0.infocompany.cf
Sending IP: 165.227.212.172
From: Samsung Electronics<info@infocompany.cf>
Reply-To: info@infocompany.cf
Subject: RE:PURCHASE ORDER.
Attachment: Invoice.xlsm

RemcosRAT payload URL:
https://onedrive.live.com/download?cid=CFD8E120D47DF1A4&resid=CFD8E120D47DF1A4%211145&authkey=AAnhYSIwy-lKy3I

RemcosRAT C2:
185.140.53.29:2019

Hosted on nVpn:

% Information related to '185.140.53.0 - 185.140.53.255'

% Abuse contact for '185.140.53.0 - 185.140.53.255' is 'abuse@FOS-VPN.org'

inetnum: 185.140.53.0 - 185.140.53.255
netname: Freedom_Of_Speech_VPN
remarks: Before you contact us, please read:
remarks: 185.140.53.0/24 belongs to a NON-LOGGING VPN service.
remarks: We don't log any user activities.
remarks: We believe that the right to informational self-determination and the
remarks: right to privacy are essential to all citizens of all countries.
remarks: We don't host anything else on our servers than VPN software and our
remarks: customers can open a fixed number of Ports.
remarks: Like Public WiFi or Tor Exit Node Operators we cannot be held responsible
remarks: for the actions of our customers, because we simply can't (and to be
remarks: honest: don't want) to control them.
country: EU
org: ORG-SL751-RIPE
admin-c: SL12644-RIPE
tech-c: SL12644-RIPE
status: ASSIGNED PA
mnt-by: FOS-VPN-MNT
created: 2016-10-17T23:24:00Z
last-modified: 2020-04-06T18:59:49Z
source: RIPE

Intelligence

File Origin
# of uploads :
2
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Mal.FareitVB-AB.16587.32522.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-08 08:12:41 UTC
AV detection:
24 of 31 (77.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=aownizpxai55ohbowec3ln4kg55557ydb6swzboqcy2bdwkbhvvq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
01e45e2c243f5384661dab978cc7435346bda61223b5c921cdd079ed44210387
GuLoader
06c7ed157b8e8698cfe7d757ee664ebcdb3b4c3625609f6fd2aa79893df51be2
GuLoader
0c573ee53e9f48e54bb4761f23a3abb8ec55d088b298209eca19f56735c27214
GuLoader
234acaae49590b6d24649d27e945d4eb2bb186f6fae95f8aa4b07457ee9778e8
GuLoader
3ad218dd82f514c03cd3c157a51a6bf3e082d300e6ba02169e78cdd9a7f34845
GuLoader
4e34668c81aba75b9893d5f137a56650d3116ef7a1666c3ee9b3af47077604f3
GuLoader
8d1400d0eebb22443388acc074feac929e1cf43cbc1343f8c1c8952b88b5a8b1
GuLoader
ad8a37712f8cacb5def3dc81a53358ad76ef3800ef3e4fc3d151f17e594d93e8
GuLoader
cbe345880baebbc56c019721184c56577bccf0b66091b09f90163646f0bc7af7
GuLoader
f1c0e198445a81a738ad7509079b63752b0bc934cd66ce39bc95cb50224ca0d3
GuLoader
+ 268 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-p1qsc32w16/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks QEMU agent state file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Excel file xlsm 85074105fcf885e2d29488b314fad614984de34934e12e00348cb3762d8d0333

GuLoader

Executable exe 03acd465f7023bd71c2eb105b5b78a377bdeff030fa56c85d0163411d9413d6b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/359858/
  
Dropping
RemcosRAT
  
Dropped by
MD5 a15a1d60c9a516913916f113f4290c58
  
Dropped by
SHA256 85074105fcf885e2d29488b314fad614984de34934e12e00348cb3762d8d0333
  
Delivery method
Distributed via web download

Comments