MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44b9088e8bd1c22c10d5ea77951a3dda0884a8564187a8f98a4472120f374c91. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 44b9088e8bd1c22c10d5ea77951a3dda0884a8564187a8f98a4472120f374c91
SHA3-384 hash: b4de21281ac11372a966ecf1f89c54dade4d1e6a990c72714da60e3a45553cdbe08ec9ff00d054b4e642073103ca44c3
SHA1 hash: ce85b3222656161a2981180bfcb4ea7d33837f90
MD5 hash: e19f54257ca4ca7f0753485fa5b76712
humanhash: south-december-uncle-football
File name:CICERO.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:102'400 bytes
First seen:2020-05-22 10:13:07 UTC
Last seen:2020-05-22 10:52:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 97b581b4fa6c37442cd17bccaaae89b3 (1 x GuLoader)
ssdeep 768:5t8vqmWVd6qtzGrmV5DWAY6VF4Eb1+ulJ0G67Wk6x2vEOgzpbAzMXbLFYVld/PT:P+qttzasVv+ullcWH2vE/UzULFYVldD
Threatray 584 similar samples on MalwareBazaar
TLSH 79A307217AA0E9F2C8758FB34D75196820EBAC7554630E0769CA3E1F2C7B992AD74307
Reporter abuse_ch
Tags:DEU exe geo GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: mout.kundenserver.de
Sending IP: 212.227.17.13
From: info@zahnarztpraxis-dortmund.com
Subject: AW: AW: Zahlungsbeleg und Auftragsbestätigung 21-05-20 Rechnung_20-613129926-001
Attachment: Rechnung1.zip (contains "CICERO.exe")

GuLoader payload URL:
http://156.96.118.179/RSol.bin

Intelligence

File Origin
# of uploads :
2
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Variant.Ursu.878098.15648.9773.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-21 15:49:45 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
20 of 31 (64.52%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
azorult
Create hunting rule
guloader
Create hunting rule
Similar samples:
05a1356768e4475daeebaae76e486705d2d920e7e4d511c1436ea3f9a650c1df
GuLoader
308c96557c6be5d4519ba4bac38c23e611c7b61683cfc1063a6009e216c24f5e
GuLoader
81337231c53d0927b5aaff1792d71b5f5270e268e1909267ad3bd79951e72642
GuLoader
85a40f3f59fb797494adf184b0dbee2b3d8089e9686b9f484c5242c5a75085a9
GuLoader
9e17a9c1b1d0db2c9cd8fdf42c475712f8faaa68cb08bbff910a2927b910d88f
GuLoader
9ffc0cc7f5b6bfb1e02d404b6d850e2fd72a778a1a2582fc061723f084cc73c2
GuLoader
c8dda41b34e9b16da333bfa30653a6f46be67c657158ecfd2c0463903b01e54d
GuLoader
d60af7a38f3b01fa2c7926959f9c65b91d9dac09da0e6e0431237ffd58b2e8f0
GuLoader
e9bcebb30731ce1c7ecca26eb2d6a717caf06824fd834775e571d4f684f9d279
GuLoader
f09dc0b3275b4c1e3a616911805011c2871af1407599493dc980b6987cb313eb
GuLoader
+ 574 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-t4vprww286/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks QEMU agent state file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip fa1c946415d491964bdb3e0b3ecb5288c9673a665c0fe3cff0a7862ce557001b

GuLoader

Executable exe 44b9088e8bd1c22c10d5ea77951a3dda0884a8564187a8f98a4472120f374c91

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/366085/
  
Dropped by
MD5 22996f39e2677855c71e670d38da8c98
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 fa1c946415d491964bdb3e0b3ecb5288c9673a665c0fe3cff0a7862ce557001b

Comments