MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3dd90bca336828bb4832d955a81ccff768202342522cb480cdd85afbad92d887. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3dd90bca336828bb4832d955a81ccff768202342522cb480cdd85afbad92d887
SHA3-384 hash: 14f9ff339335b556470a02e90370b7fbdae47c3b3e6f3b914b3071748c848399e3ba3b57ef6537341275140dd17bccc6
SHA1 hash: 833d4d95e0a6ca5150e3cc93dcc46d57e2d9954c
MD5 hash: 01a73a74c0f01ff769fcd5fcaae92598
humanhash: victor-lion-india-steak
File name:01a73a74c0f01ff769fcd5fcaae92598
Download: download sample
Signature GuLoader
Create hunting rule
File size:110'592 bytes
First seen:2021-09-29 09:35:03 UTC
Last seen:2021-09-29 12:12:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a587116cc4241097b364fa915d1c4c46 (6 x GuLoader)
ssdeep 1536:e0ekkZggj9rlDld1rZWuHbQXMRQ/cvnHGM:NekkZggxvZNHUdKHf
Threatray 5'562 similar samples on MalwareBazaar
TLSH T1A4B33940F580EC5DE4904ABF84D28EF85521AFE6893147037395FEDC3B7AA8CEA1E255
File icon (PE):PE icon
dhash icon 1003873d31213f10 (142 x DarkCloud, 132 x GuLoader, 35 x a310Logger)
Reporter zbetcheckin
Tags:32 exe GuLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
79032189.xlsx
Verdict:
Malicious activity
Analysis date:
2021-09-29 06:22:28 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/01dec09b-1199-414f-be76-a958be34c289

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/193063/
Detection(s):
SecuriteInfo.com.Variant.Razy.947945.27037.32181.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/216d603c-09e9-4d4d-92af-b0086b8d5843
Result
Threat name:
GuLoader FormBook
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/860727
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Found malware configuration
GuLoader behavior detected
Hides threads from debuggers
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential malicious icon found
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1404 Sample: CpUNO6WMEm.exe Startdate: 29/09/2021 Architecture: WINDOWS Score: 100 56 www.vi88.info 2->56 58 www.thesewhitevvalls.com 2->58 60 46 other IPs or domains 2->60 76 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->76 78 Potential malicious icon found 2->78 80 Found malware configuration 2->80 82 10 other signatures 2->82 11 CpUNO6WMEm.exe 1 1 2->11         started        signatures3 process4 signatures5 100 Creates autostart registry keys with suspicious values (likely registry only malware) 11->100 102 Creates multiple autostart registry keys 11->102 104 Tries to detect Any.run 11->104 106 Hides threads from debuggers 11->106 14 CpUNO6WMEm.exe 9 11->14         started        process6 dnsIp7 68 185.222.58.118, 49821, 49856, 49860 ROOTLAYERNETNL Netherlands 14->68 108 Modifies the context of a thread in another process (thread injection) 14->108 110 Tries to detect Any.run 14->110 112 Maps a DLL or memory area into another process 14->112 114 3 other signatures 14->114 18 explorer.exe 3 6 14->18 injected signatures8 process9 dnsIp10 62 www.hsvfingerprinting.com 192.185.0.218, 49906, 80 UNIFIEDLAYER-AS-1US United States 18->62 64 roleconstructora.com 192.185.131.113, 49826, 80 UNIFIEDLAYER-AS-1US United States 18->64 66 20 other IPs or domains 18->66 50 C:\Users\user\AppData\...\l0hlmhz8p707bmx.exe, PE32 18->50 dropped 84 System process connects to network (likely due to code injection or exploit) 18->84 86 Benign windows process drops PE files 18->86 23 cmd.exe 1 12 18->23         started        26 l0hlmhz8p707bmx.exe 1 18->26         started        28 l0hlmhz8p707bmx.exe 1 18->28         started        30 l0hlmhz8p707bmx.exe 1 18->30         started        file11 signatures12 process13 signatures14 88 Tries to steal Mail credentials (via file access) 23->88 90 Self deletion via cmd delete 23->90 92 Creates multiple autostart registry keys 23->92 98 5 other signatures 23->98 32 cmd.exe 2 23->32         started        35 cmd.exe 1 23->35         started        37 firefox.exe 23->37         started        94 Tries to detect Any.run 26->94 96 Hides threads from debuggers 26->96 39 l0hlmhz8p707bmx.exe 7 26->39         started        42 l0hlmhz8p707bmx.exe 7 28->42         started        44 l0hlmhz8p707bmx.exe 7 30->44         started        process15 file16 70 Tries to harvest and steal browser information (history, passwords, etc) 32->70 46 conhost.exe 32->46         started        48 conhost.exe 35->48         started        52 C:\Users\user\AppData\Local\...\Thymiest.exe, PE32 39->52 dropped 54 C:\Users\user\AppData\Local\...\Thymiest.vbs, ASCII 39->54 dropped 72 Tries to detect Any.run 39->72 74 Hides threads from debuggers 39->74 signatures17 process18
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3dd90bca336828bb4832d955a81ccff768202342522cb480cdd85afbad92d887/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-09-29 08:24:29 UTC
AV detection:
13 of 45 (28.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hxmqxsrtnaulwsbs3fk2qhgp65ucai2ckiwljagn3bnpxlms3cdq._file
Verdict:
malicious
Similar samples:
07a7e8b55aae7e593602a7dc0e67dbf0debb3ccd4c4d769d7fab0e34a675b4e7
GuLoader
1331627a168114afd060f2e1f87af4c73de8e7960aeb045b3df51b0cd83ee65c
GuLoader
1c958bc2a268ce3f104a35882f694f8bead71015937bfb99b0986400ab29d703
GuLoader
250ff8077acf0f36a91dd6b7fc485ac2b7b25854824c02e4212f1ff64b6f2a41
GuLoader
3b73187bb0bb1bc3f9b112710969da4340b5791d63c6ac0d45f7c2bbf2dfd588
GuLoader
60fe4a1f0ed577bfa8d10195a3d1123b0a7ab551d3579686ee6ac6bc18282fe5
GuLoader
63349f5e1cb7e662593709d14ed76838362d5b81fd3efedf1b7b307f343fe377
GuLoader
bf41232cf8f3b7a59706152858b300a9c7af30e7e0291f120dfd38657daf5b9c
GuLoader
ceb40b25f6ccefa258ca5e9dab520e63280fbb2fdcb2c9cf89df17defd3b6f24
GuLoader
e6cd47abf6c7c73449bd05329a0e30a48012c947d8762dd2429333af8d7bc198
GuLoader
+ 5'552 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/210929-lkb3eaedd2/
Behaviour
Suspicious use of SetWindowsHookEx
Guloader,Cloudeye
Unpacked files
SH256 hash:
3dd90bca336828bb4832d955a81ccff768202342522cb480cdd85afbad92d887
MD5 hash:
01a73a74c0f01ff769fcd5fcaae92598
SHA1 hash:
833d4d95e0a6ca5150e3cc93dcc46d57e2d9954c
Link:
https://www.unpac.me/results/a9bacaea-2e66-4960-bb36-18449120f3c7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/3dd90bca336828bb4832d955a81ccff768202342522cb480cdd85afbad92d887

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe 3dd90bca336828bb4832d955a81ccff768202342522cb480cdd85afbad92d887

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/193063/
  
URLhaus
https://urlhaus.abuse.ch/url/1647635/

Comments