MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36e4352b2e4961e1ca1dd47baadf462af3e97fd0ebfb0c5694a5c6e22322c1c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 36e4352b2e4961e1ca1dd47baadf462af3e97fd0ebfb0c5694a5c6e22322c1c1
SHA3-384 hash: 3d4125e44d9163f44f3c4e1a7fcf242b52762a751bc0b8904449571511bbcee5543ad6d1dbd983d74f8359ea90360f6c
SHA1 hash: 5d00214f62f1ba1952d9aeeeb85472a044f27735
MD5 hash: 9eb7cad434dbfb7bb3e7e184df138c15
humanhash: comet-idaho-zulu-berlin
File name:Document.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:1'054'722 bytes
First seen:2020-05-04 22:15:13 UTC
Last seen:2020-05-05 05:45:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e453637f2317c3675b7b06b57403e87a (2 x RemcosRAT, 1 x GuLoader)
ssdeep 24576:cgTfvH5kDYtfLWyfhcEwyzd6TIk5ZtXsY:cgTffS1sOc6TIO
Threatray 921 similar samples on MalwareBazaar
TLSH 02257D22A253DA37C12355389D7F56B8E836BE136F6858472AF52C3C1EF93413837296
Reporter abuse_ch
Tags:Azure DHL exe GuLoader nVpn RAT


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: sunn1.southcentralus.cloudapp.azure.com
Sending IP: 13.66.51.68
From: Dhl Customer Support <Support@dhl.com>
Subject: Order Delivery Failed
Attachment: Attachment.iso (contains "Document.exe")

GuLoader pushing RemcosRAT from drive.google.com

RemcosRAT C2s:
rex2018.hopto.org:2404
rex2018.myddns.me:2404
rex2020.myddns.me:2404
myb50.myddns.me:2404
johnhoff2.hopto.org:2404
jbcbeads.myddns.rocks:2404 (79.134.225.107)

Pointing to nVpn:

% Information related to '79.134.225.64 - 79.134.225.127'

% Abuse contact for '79.134.225.64 - 79.134.225.127' is 'abuse@your-vpn.network'

inetnum: 79.134.225.64 - 79.134.225.127
netname: YOUR_VPN_NETWORK
country: DE
remarks: ****************************************************
remarks: This subnet belongs to a VPN service provider.
remarks: We protect the right to privacy, which means
remarks: we don't log the activities of our users.
remarks: ****************************************************
admin-c: EH4074-RIPE
tech-c: YVN10-RIPE
status: ASSIGNED PA
abuse-c: YVN10-RIPE
org: ORG-YVN1-RIPE
mnt-by: AF15-MNT
created: 2019-07-19T18:26:38Z
last-modified: 2019-07-19T18:51:28Z
source: RIPE

Intelligence

File Origin
# of uploads :
3
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Variant.Zusy.302747.15832.15474.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2020-05-04 22:36:28 UTC
File Type:
PE (Exe)
Extracted files:
87
AV detection:
24 of 31 (77.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=g3sdkkzojfq6dsq52r52vx2gflz6s76q5p5qyvuuuxdoeizcyhaq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0f307822855aabba644e0f79751eeb5f26e0575ae5ade7c6507c6d1ea7a64725
GuLoader
18aae95253ffa453609ef3e1150cf9c2b167a1b1c59ae1270e279f8d5e070c27
GuLoader
3b13ea61e91a0312f8c187096e435168cee2d2277c46373d01899497345bd0e9
GuLoader
667d35d2cff2979ca84df0afe1eca6c164e1d919b989e16b97166c7a30c77a87
GuLoader
93c327b46d6354a91a9b20311a2f1e1873e132765816ec26443eb1971ccd2946
GuLoader
b8a03fd14b3a3695af8b6c781eb946214a98986279678c6b2a477f22ba1ac3cf
GuLoader
c0a656a2f73c254ed2f1e73630083849890b7c1e36161e89fe29d2fd014f9fff
GuLoader
de45e137eeda4de58d4840e499559e36ee01256b6180e87249ec035525db6b9c
GuLoader
eee72be9b19c5e0fa5fd1b5404798a7ccd5b73830249562f9465583004980a18
GuLoader
f9441d3651d67748ec1a2fd325ea1aa9d914208c7fae0853e5b769e52e66ccb8
GuLoader
+ 911 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-w7ef4wzqx6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Legitimate hosting services abused for malware hosting/C2
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

iso 8fd3b343c562779916904e59713ac5366eb442b6a6d6e7008a357c5780e135b7

GuLoader

Executable exe 36e4352b2e4961e1ca1dd47baadf462af3e97fd0ebfb0c5694a5c6e22322c1c1

(this sample)

  
Dropped by
MD5 ddea11d7836e777765e1d7bd9fbcc46c
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 8fd3b343c562779916904e59713ac5366eb442b6a6d6e7008a357c5780e135b7

Comments