MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44350179d4fdd08fd02c02b733f80c82d54f5af31c8a2432de9cfb6b11ab4aa0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 44350179d4fdd08fd02c02b733f80c82d54f5af31c8a2432de9cfb6b11ab4aa0
SHA3-384 hash: 17b4441693166678e5e4d52170de12f95f3e013785e31733131a11d17722a1bcab6fa30fcdaf8fe3795899fd577b8a0b
SHA1 hash: d2e2087f83c1ef3d10cbe60acb721745d19306b3
MD5 hash: aed402d9a5675f5796265e5170ada7cb
humanhash: magazine-aspen-princess-mango
File name:Shipping Documents (INV,PL,BL)_pdf.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:86'016 bytes
First seen:2020-11-20 07:46:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0cb4f4ece3f5875b40d2bf4babdf78ef (3 x GuLoader)
ssdeep 768:DYldnp1qLYHCVa/XGBCsdLD+isFihijpdpQU9z5cy1M:KdnGDauosdLD+isUEpYByq
Threatray 4'468 similar samples on MalwareBazaar
TLSH CC837C17B2C8E124F215BBB2A641E2FD05697F24DED79E1332C87F2EFA724457142229
Reporter abuse_ch
Tags:DHL exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: zoz0.213.xzov.ml
Sending IP: 159.89.99.175
From: DHL Support <support@dhl.com>
Subject: SHIPPING DOCUMENT
Attachment: Shipping Documents INV,PL,BL_pdf.rar (contains "Shipping Documents (INV,PL,BL)_pdf.exe")

GuLoader payload URL:
https://lifeandhealth.com.mx/graceofgod/Kalied_fAAOrhVS181.bin

Intelligence

File Origin
# of uploads :
1
# of downloads :
229
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Gathering data
Result
Threat name:
FormBook GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/543803
Signature
Antivirus detection for URL or domain
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Executable has a suspicious name (potential lure to open the executable)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 320999 Sample: Shipping Documents (INV,PL,... Startdate: 20/11/2020 Architecture: WINDOWS Score: 100 29 www.leepl.com 2->29 31 HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com 2->31 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus detection for URL or domain 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 12 other signatures 2->47 11 Shipping Documents (INV,PL,BL)_pdf.exe 1 2->11         started        signatures3 process4 signatures5 57 Tries to detect Any.run 11->57 59 Hides threads from debuggers 11->59 14 Shipping Documents (INV,PL,BL)_pdf.exe 6 11->14         started        process6 dnsIp7 39 lifeandhealth.com.mx 192.185.170.106, 443, 49699 UNIFIEDLAYER-AS-1US United States 14->39 61 Modifies the context of a thread in another process (thread injection) 14->61 63 Tries to detect Any.run 14->63 65 Maps a DLL or memory area into another process 14->65 67 3 other signatures 14->67 18 explorer.exe 14->18 injected signatures8 process9 dnsIp10 33 www.iatlet.com 156.224.66.93, 49707, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 18->33 35 drinksandfruits.com 68.70.163.36, 49706, 80 NETSOURCEUS United States 18->35 37 www.drinksandfruits.com 18->37 49 System process connects to network (likely due to code injection or exploit) 18->49 22 wlanext.exe 18->22         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/44350179d4fdd08fd02c02b733f80c82d54f5af31c8a2432de9cfb6b11ab4aa0/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2020-11-20 07:47:04 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=iq2qc6ou7xii7ubmak3th6amqlku6wxtdsfcimw6tt5wwenljkqa._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
3b162f2943b2ee8d6075b2f8f4cbd7832e11b50ecdfcb4a68cf18eb1c7614651
GuLoader
4d0dfe01c27dfd2c35464a3f435cfb4cad6e996d6fc407cc8f10fc0b3d0692fe
GuLoader
5ea463243b051351c219469515fb9b39d01c5c3c4f4698bd6164e36070622d35
GuLoader
722c38612f58a2762ae67f38d4342c7aaa59c89c3546cbe0d69f4700b55420fa
GuLoader
77aa8e597d8c1b23af6c98a85e717edde17106fdb806ceadc6cedef510b9e7c8
GuLoader
7d53275640b52b08bb54259f6bc85edad2dfe30b6b5f9cea9ddc8d7469d97cd8
GuLoader
a1817ff59a466c2c67ff443922da2ea3e4c67b8ed1a5e67c44a0fc4faa8956b9
GuLoader
aebcacef83bf139cf1f922a1c8687449286d661908b9ffbdd7e51866ebde4409
GuLoader
b8b07584a493c32a6f045b8bfe1f7ce2a2e441035a7048e946aa6b26a6485c0d
GuLoader
fa4d6e0887210c5f967d3349942cd846130e5c3c227e56cb0782ec4bc0d9bea5
GuLoader
+ 4'458 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201120-az2t16hbrs/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
44350179d4fdd08fd02c02b733f80c82d54f5af31c8a2432de9cfb6b11ab4aa0
MD5 hash:
aed402d9a5675f5796265e5170ada7cb
SHA1 hash:
d2e2087f83c1ef3d10cbe60acb721745d19306b3
Link:
https://www.unpac.me/results/227b169c-dc38-470f-b204-4485d89ba3ac/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

rar baccdcb2bf9fdae061f43fd3106975b8dd1074537abcb73e48456c10fbb1efc1

GuLoader

Executable exe 44350179d4fdd08fd02c02b733f80c82d54f5af31c8a2432de9cfb6b11ab4aa0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/835905/
  
Dropped by
MD5 3019d958eb87d5048a7329bccf69cdb0
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 baccdcb2bf9fdae061f43fd3106975b8dd1074537abcb73e48456c10fbb1efc1

Comments