MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0b4684d82509a6e7e0c1cb63174bf68d182ccff75a3d19f16821127605d636b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0b4684d82509a6e7e0c1cb63174bf68d182ccff75a3d19f16821127605d636b8
SHA3-384 hash: b12606fc8e95ea9cfe37e6097b3c8fee531172cf0668410aa280a3641818def37007d7fd5f7c4acd72e1ed38960e4deb
SHA1 hash: 8b62bf811b03fe25924ef6ff4d4afd89c902f7cd
MD5 hash: e8bceea59b2074bd08bf68ab55ecdf3e
humanhash: london-pennsylvania-march-kentucky
File name:NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:466'944 bytes
First seen:2021-09-13 20:33:47 UTC
Last seen:2021-10-04 14:38:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 01b006fd37878659f6f60ca0efdc2460 (4 x GuLoader)
ssdeep 12288:8HLEuNNNNN6NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNGvNNNNNNasgTJ4KJ1Z:8HY2csg9h1Z
Threatray 5'257 similar samples on MalwareBazaar
TLSH T172A4B651F479C224D55F7F33EB14E5F50622EC6604F1E90B2688BE6334FA2DEE80AA45
dhash icon 69f0a2e6b2b2b269 (1 x GuLoader)
Reporter James_inthe_box
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
5
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe
Verdict:
No threats detected
Analysis date:
2021-09-13 20:35:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f3a5526b-35d4-4090-9521-12c5f38342c9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/187572/
Detection(s):
SecuriteInfo.com.__vbaHresultCheckObj.30531.28160.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6175058bdb358dd15ed91da4/reports/9ded8043-2e26-4d7f-a1b3-de58a7924f04/overview
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b601098f-3495-46e4-bd58-6aaf22429aba
Result
Threat name:
GuLoader FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/850156
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
GuLoader behavior detected
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious Rundll32 Without Any CommandLine Params
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 482590 Sample: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Startdate: 13/09/2021 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 11 other signatures 2->42 10 NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe 1 2->10         started        process3 signatures4 54 Tries to detect Any.run 10->54 56 Hides threads from debuggers 10->56 13 NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe 6 10->13         started        process5 dnsIp6 34 www.paulassinkarchitect.nl 91.184.0.38, 443, 49817 HOSTNETNL Netherlands 13->34 58 Modifies the context of a thread in another process (thread injection) 13->58 60 Tries to detect Any.run 13->60 62 Maps a DLL or memory area into another process 13->62 64 3 other signatures 13->64 17 explorer.exe 13->17 injected signatures7 process8 dnsIp9 28 www.microsoftjob.com 91.195.240.117, 49830, 80 SEDO-ASDE Germany 17->28 30 everythingswallow.com 160.153.136.3, 49824, 80 GODADDY-AMSDE United States 17->30 32 10 other IPs or domains 17->32 44 System process connects to network (likely due to code injection or exploit) 17->44 21 rundll32.exe 17->21         started        signatures10 process11 signatures12 46 Self deletion via cmd delete 21->46 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0b4684d82509a6e7e0c1cb63174bf68d182ccff75a3d19f16821127605d636b8/
Threat name:
Win32.Trojan.Mucc
Create hunting rule
Status:
Malicious
First seen:
2021-09-13 20:13:55 UTC
File Type:
PE (Exe)
Extracted files:
24
AV detection:
8 of 43 (18.60%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bndijwbfbgtopygbznrros7wrumczt7xli6rt4lieejhmbowg24a._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
27563e3971b4f2baf6bf551323b1538809038aa456d5e0c02dd5e6a902b8f0e6
GuLoader
384ccd374a7b0ad96c05c598a8805af2c0171554a8caa56b383b60f7a847e26f
GuLoader
39de6e1f455747a1e878f070e5b62e306a60bd595d5a1840518cc07972a5c6d1
GuLoader
3ec89e73e39d8f49eb7af879ca10a3b172a155b50cffd2e98dd4826c4284fd49
GuLoader
49de4524bd749523e1a8239eb6edecc62605ef2ed40852306795b839dec39270
GuLoader
548aefb935e11a84133bd8b3d367d988b9ad2e3bde7f4c0fffcf6a94b529be72
GuLoader
e909198f5ca355e38c8459bc7ae2028ee25f849fde5c37714f914b87a94b5182
GuLoader
ef4cb9aea5d837610a28160c179ef3c4f381f84a8cbdd3464563800c53a95f15
GuLoader
+ 5'247 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/210913-zc2vraedb8/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks QEMU agent file
Guloader,Cloudeye
Unpacked files
SH256 hash:
49b04162c412105ab0857de16713724cbf3234a0b6ba51f3a5286312633f20c3
MD5 hash:
1f1b425190b2fb0396ad2d538b1060ba
SHA1 hash:
413f98641d46fdcabfcaf64f29495667de6282ea
Link:
https://www.unpac.me/results/ef006d2a-0d3f-40dc-bb55-e531b8bef4c0/
SH256 hash:
0b4684d82509a6e7e0c1cb63174bf68d182ccff75a3d19f16821127605d636b8
MD5 hash:
e8bceea59b2074bd08bf68ab55ecdf3e
SHA1 hash:
8b62bf811b03fe25924ef6ff4d4afd89c902f7cd
Link:
https://www.unpac.me/results/ef006d2a-0d3f-40dc-bb55-e531b8bef4c0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/0b4684d82509a6e7e0c1cb63174bf68d182ccff75a3d19f16821127605d636b8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/187572/

Comments