MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ade913d64b215c53ea446147f59738d870c8f46e7f4cbd10b2212e804ab6f73. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ade913d64b215c53ea446147f59738d870c8f46e7f4cbd10b2212e804ab6f73
SHA3-384 hash: 9a6284aa4b1f6819979596f5efeb846a191405071bd3de51c8beb5aa603a1c1fd142757b903f3b4f89cc4b5a2e152a50
SHA1 hash: 38681054b85278d75c63f4ff73b1a7f174591897
MD5 hash: bf424574cd5b5ced9c765eaf6b8dcf6f
humanhash: foxtrot-bacon-football-hydrogen
File name:BEST.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:45'056 bytes
First seen:2020-10-09 06:31:32 UTC
Last seen:2020-10-09 08:02:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash baa2be13d1e80c03bea591b40e3102f5 (4 x GuLoader)
ssdeep 768:lDEZ1v0ELuL3iGrXgQHhwM3ouBns8GDy7wXJl:GXDuhFeIou5GJ
Threatray 2'279 similar samples on MalwareBazaar
TLSH 82137D07BD5A6073F1998BBC4E27DF9D0D963C3A05D00E033B983B6E5E31A465C2576A
Reporter abuse_ch
Tags:exe geo GuLoader KOR


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: linux.avaserver.com
Sending IP: 95.217.137.242
From: 김병준 <bkim@hec-co.kr>
Reply-To: 김병준 <bkim@hec-co.kr>
Subject: RFQ For Canada New Energy Plant Project
Attachment: Request For Quotation Details_Rev1.img (contains "BEST.exe")

GuLoader payload URL:
http://iykemorelinkrtyu.webredirect.org/uploud//5bab0b1d864615bab0b1d864b3/bin_IYuTkYQC244.bin

Intelligence

File Origin
# of uploads :
2
# of downloads :
170
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69445/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Threat name:
FormBook GuLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/486363
Signature
Antivirus detection for URL or domain
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Potential malicious icon found
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 295639 Sample: BEST.exe Startdate: 09/10/2020 Architecture: WINDOWS Score: 100 29 www.shantiomwellness.com 2->29 31 ext-sq.squarespace.com 2->31 41 Potential malicious icon found 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Antivirus detection for URL or domain 2->45 47 7 other signatures 2->47 11 BEST.exe 2->11         started        signatures3 process4 signatures5 57 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 11->57 59 Tries to detect Any.run 11->59 61 Tries to detect virtualization through RDTSC time measurements 11->61 63 Hides threads from debuggers 11->63 14 BEST.exe 6 11->14         started        process6 dnsIp7 39 iykemorelinkrtyu.webredirect.org 103.125.191.94, 49725, 80 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN Viet Nam 14->39 65 Modifies the context of a thread in another process (thread injection) 14->65 67 Tries to detect Any.run 14->67 69 Maps a DLL or memory area into another process 14->69 71 3 other signatures 14->71 18 explorer.exe 14->18 injected signatures8 process9 dnsIp10 33 warukirahinga.com 192.185.129.112, 49738, 80 UNIFIEDLAYER-AS-1US United States 18->33 35 www.warukirahinga.com 18->35 37 www.growinggutsybabies.com 18->37 49 System process connects to network (likely due to code injection or exploit) 18->49 22 cmd.exe 18->22         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3ade913d64b215c53ea446147f59738d870c8f46e7f4cbd10b2212e804ab6f73/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2020-10-09 03:25:49 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hlpjcplewik4kpveiykh6wltrwdqzd2g472mxuileijoqbfln5zq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
1289d591984de5325235e57987ab171b4ae3f9d55baf3476087677805922427f
GuLoader
14eb827b600c3f7ccf2af766d0fec868e6b0467eba9264f19b75427f95ef7cfa
GuLoader
1de9da3a2c6effe9e9eae16a0d70fc19c633e479073f308a666665b0628e866b
GuLoader
3d58f8ebad7482150089af4041e1ef4297e21fe85e2e49c85b7661fbed2bab28
GuLoader
50eb8b54c87303301b6614c07195bef8121ab2f99685ced448b915f9e6f0fc15
GuLoader
967ea109385c23aa2c0a841295eb33b1f25d25b836903cbabe33a9c1fb2ee267
GuLoader
99d07b0682434235023da65216efdcc624d66c436e80745614315d4c68e8735f
GuLoader
ab138bbc4c50028ba5fcb2f2fb9dd1907647c1503eefebf01ad0fbb2f8d92fb1
GuLoader
ecbbdea89347df30a9575353b8886499a88d30f5606f60c922c62e4a56637c74
GuLoader
fce8a94adda657c79b4fbe7b2b4ef4062d27b0c15108b23ae6cb9dc545a267f8
GuLoader
+ 2'269 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201009-bw3w26e56x/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
3ade913d64b215c53ea446147f59738d870c8f46e7f4cbd10b2212e804ab6f73
MD5 hash:
bf424574cd5b5ced9c765eaf6b8dcf6f
SHA1 hash:
38681054b85278d75c63f4ff73b1a7f174591897
Link:
https://www.unpac.me/results/98c84bfb-6dc8-4837-bdb4-81a3c5543c34/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3ade913d64b215c53ea446147f59738d870c8f46e7f4cbd10b2212e804ab6f73

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

img 0273df3dcf14950b05fac656ce725b0f6cf9bbf057b68dca34f255b045c203fe

GuLoader

Executable exe 3ade913d64b215c53ea446147f59738d870c8f46e7f4cbd10b2212e804ab6f73

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/673374/
  
Dropped by
MD5 28a9fef922176ca9066f8823e483e367
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69445/
  
Dropped by
SHA256 0273df3dcf14950b05fac656ce725b0f6cf9bbf057b68dca34f255b045c203fe

Comments