MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0de340a2a9794b550122c8fa1ec237c8d10d1b17473f93313394de1be0906d35. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0de340a2a9794b550122c8fa1ec237c8d10d1b17473f93313394de1be0906d35
SHA3-384 hash: 6194566c2b1ff50a8a27bf68a194fb4c3d2c83cc9ac35255eb85206b65174e01ecfd3b8a2acf8fc3cbea8ed20c57642d
SHA1 hash: d97c874a9d02f7ba05e3c108e479576e43385256
MD5 hash: 1573f872ef0f8707af61a871f4df2e54
humanhash: seven-delta-artist-florida
File name:Logo.jpg.jpg.jpg.scr
Download: download sample
Signature GuLoader
Create hunting rule
File size:94'208 bytes
First seen:2020-08-14 09:16:07 UTC
Last seen:2020-08-14 09:42:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 013e8ea5fe0c6a0b4b7c5237fb08d0c1 (1 x GuLoader)
ssdeep 1536:N+lQjwFc6RocXVYA7anA8zT6C6SUzh1U7:N+l2w/zXVhwT0t1U7
Threatray 15 similar samples on MalwareBazaar
TLSH 529318539588A131FA58CFB529365CAB427BBF347D79DA0B6C087E392B33A938051347
Reporter abuse_ch
Tags:GuLoader Hostwinds scr


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: hwsrv-760908.hostwindsdns.com
Sending IP: 104.168.213.82
From: info@kamaehr.com
Reply-To: info@kamaehr.com
Subject: 5 x 40 ft Containers
Attachment: Product_Order_me.zip (contains "Logo.jpg.jpg.jpg.scr")

GuLoader payload URL:
https://onedrive.live.com/download?cid=798F780A1F816F26&resid=798F780A1F816F26%21104&authkey=APbP73rT5v6R7SA

Intelligence

File Origin
# of uploads :
2
# of downloads :
228
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/45696/
Detection(s):
SecuriteInfo.com.Variant.Graftor.816111.1639.2177.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Creating a file
Creating a file in the %temp% directory
Modifying a system executable file
Creating a process from a recently created file
Deleting a recently created file
Connection attempt
Launching a process
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Setting a single autorun event
Unauthorized injection to a recently created process by context flags manipulation
Result
Threat name:
AveMaria GuLoader
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/429150
Signature
Allocates memory in foreign processes
Contains functionality to hide a thread from the debugger
Contains functionality to hide user accounts
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious values (likely registry only malware)
Drops PE files with a suspicious file extension
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Increases the number of concurrent connection per server for Internet Explorer
Tries to detect Any.run
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected Generic Dropper
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 267061 Sample: Logo.jpg.jpg.jpg.scr Startdate: 15/08/2020 Architecture: WINDOWS Score: 100 72 Yara detected GuLoader 2->72 74 Yara detected Generic Dropper 2->74 76 Yara detected AveMaria stealer 2->76 78 2 other signatures 2->78 10 Logo.jpg.jpg.jpg.exe 1 2 2->10         started        13 wscript.exe 2->13         started        15 wscript.exe 2->15         started        17 OpenWith.exe 2->17         started        process3 signatures4 92 Creates autostart registry keys with suspicious values (likely registry only malware) 10->92 94 Drops PE files with a suspicious file extension 10->94 96 Tries to detect Any.run 10->96 98 3 other signatures 10->98 19 Logo.jpg.jpg.jpg.exe 1 18 10->19         started        24 fInv.scr 2 13->24         started        26 fInv.scr 15->26         started        process5 dnsIp6 54 onedrive.live.com 19->54 56 awzaua.db.files.1drv.com 19->56 50 C:\Users\user\AppData\Local\Temp\...\fInv.scr, PE32 19->50 dropped 52 C:\Users\user\AppData\Local\Temp\...\fInv.vbs, ASCII 19->52 dropped 80 Tries to detect Any.run 19->80 82 Hides threads from debuggers 19->82 28 fInv.scr 2 19->28         started        31 fInv.scr 24->31         started        34 fInv.scr 26->34         started        file7 signatures8 process9 dnsIp10 100 Tries to detect Any.run 28->100 102 Tries to detect virtualization through RDTSC time measurements 28->102 104 Hides threads from debuggers 28->104 36 fInv.scr 3 9 28->36         started        64 onedrive.live.com 31->64 66 3axn6q.dm.files.1drv.com 31->66 68 onedrive.live.com 34->68 70 3axn6q.dm.files.1drv.com 34->70 signatures11 process12 dnsIp13 58 216.170.119.24, 49729, 5200 AS-COLOCROSSINGUS United States 36->58 60 onedrive.live.com 36->60 62 3axn6q.dm.files.1drv.com 36->62 84 Writes to foreign memory regions 36->84 86 Allocates memory in foreign processes 36->86 88 Tries to detect Any.run 36->88 90 4 other signatures 36->90 40 cmd.exe 36->40         started        42 powershell.exe 25 36->42         started        signatures14 process15 process16 44 conhost.exe 40->44         started        46 WerFault.exe 40->46         started        48 conhost.exe 42->48         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0de340a2a9794b550122c8fa1ec237c8d10d1b17473f93313394de1be0906d35/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2020-08-14 09:18:06 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bxrubivjpffvkajczd5b5qrxzdiq2gyxi47zgmjtstpbxyeqnu2q._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
02f41fdda70c06784cceadc52eb976538f65a46ef22f0700f5daa13a9e856587
GuLoader
03d585ea89f4e62bc18d42d1fadad0b02faca6d68c831e79fb542e9efd183f7a
GuLoader
3ab58a49c5634a26cb2f625a97ad065d8f03d8dce711e2581e3521e2bae2b6c8
GuLoader
3d2d12103e20f7d20f54c3cab60a66d6e7deee7db68a2c2f1d396a710554451e
GuLoader
545bc37874b09c18f4fcef578eb3f9f3d47673255bbc32bc41986fc4e71f896f
GuLoader
6617979630def30c8a103baceedd1ddb972a53b984de91682aa93451faf833bb
GuLoader
a465bb38250994671f200d8c66cfc0718354bc8974713ba6f9f3eb15a4acec7d
GuLoader
ddf6f04276c1d976e62e199e6c928fb7a3d7aaec455a1859f8d8f605c89ffc64
GuLoader
e6bdca558fb485e6ac7295d20f868902f2b790bc147fb3ab1e3a6628280d40f3
GuLoader
fee0d04292d5bb7b74e3fdfba682f02302c70ffcbc69a7d572fa9e190a683e64
GuLoader
+ 5 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
persistence
Link:
https://tria.ge/reports/200814-3462d86fl6/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Adds Run key to start application
Loads dropped DLL
Loads dropped DLL
Executes dropped EXE
Executes dropped EXE
ServiceHost packer
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.10
Link:
https://yomi.yoroi.company/submissions/0de340a2a9794b550122c8fa1ec237c8d10d1b17473f93313394de1be0906d35

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip 98a1b3fd65c648090ace36b4cbdac4156c1a6498b8c8956ee938788d7251153d

GuLoader

Executable exe 0de340a2a9794b550122c8fa1ec237c8d10d1b17473f93313394de1be0906d35

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/432986/
  
Dropped by
MD5 29b274d149df560788dd064537f85b42
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/45696/
  
Dropped by
SHA256 98a1b3fd65c648090ace36b4cbdac4156c1a6498b8c8956ee938788d7251153d

Comments