MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44da34c94fa3c1fbc77e4d18a745b1059db381ad4e6a025a90504b2bdfa73f18. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 44da34c94fa3c1fbc77e4d18a745b1059db381ad4e6a025a90504b2bdfa73f18
SHA3-384 hash: 26dc4cfd4b623cc1fa80ba109898709d466fcb84fd6a35d29c07d8abc824ebe3109344f967ae1b9184c95ad29353fe05
SHA1 hash: bc5a1c7669ef742b644fb888b3f4391dac79c705
MD5 hash: 74558ab0b6c9a3d2202b149413178595
humanhash: quebec-robert-low-zulu
File name:RFQ 0111-20-10-26.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:94'208 bytes
First seen:2020-10-26 14:10:28 UTC
Last seen:2020-10-26 19:16:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 02d03956d3718b494e226bdaa75e0b1f (10 x GuLoader)
ssdeep 768:T/LT7h/irscXTECA6Upol6Wp36saPLibR/CnAwZOzCxr7RinVpzfVX6lEM1T:3hKrlDBA6U66uqsaPeRFYOw1ijzS
Threatray 2'712 similar samples on MalwareBazaar
TLSH 2493E613B99C5583C86547B8AE5B8F6C0A0FFD24B4C62ADB22A31DDE7F3D2414D1E219
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: xwx0.320.xoron.ml
Sending IP: 159.89.137.248
From: Dr MokSeng Chan <m.chan@amco-metall.dey>
Subject: RE: AMCO Special Profile Enquiry for Aluminium Plates and Bars
Attachment: RFQ 0111-20-10-26.rar (contains "RFQ 0111-20-10-26.exe")

GuLoader payload URL:
https://redesuperpops.com.br/trends/Kalied_Rewcur216.bin

Intelligence

File Origin
# of uploads :
3
# of downloads :
155
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/79143/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.44206759.23096.14399.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Threat name:
FormBook GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/511842
Signature
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 305049 Sample: RFQ 0111-20-10-26.exe Startdate: 26/10/2020 Architecture: WINDOWS Score: 100 29 www.marsfarmgroup.com 2->29 37 Malicious sample detected (through community Yara rule) 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 Yara detected GuLoader 2->41 43 7 other signatures 2->43 11 RFQ 0111-20-10-26.exe 1 2->11         started        signatures3 process4 signatures5 53 Tries to detect Any.run 11->53 55 Hides threads from debuggers 11->55 14 RFQ 0111-20-10-26.exe 6 11->14         started        process6 dnsIp7 35 redesuperpops.com.br 192.185.216.181, 443, 49727 UNIFIEDLAYER-AS-1US United States 14->35 57 Modifies the context of a thread in another process (thread injection) 14->57 59 Tries to detect Any.run 14->59 61 Maps a DLL or memory area into another process 14->61 63 3 other signatures 14->63 18 explorer.exe 14->18 injected signatures8 process9 dnsIp10 31 peiwu.net 162.241.24.164, 49753, 80 UNIFIEDLAYER-AS-1US United States 18->31 33 www.peiwu.net 18->33 45 System process connects to network (likely due to code injection or exploit) 18->45 22 mstsc.exe 18->22         started        signatures11 process12 signatures13 47 Modifies the context of a thread in another process (thread injection) 22->47 49 Maps a DLL or memory area into another process 22->49 51 Tries to detect virtualization through RDTSC time measurements 22->51 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/44da34c94fa3c1fbc77e4d18a745b1059db381ad4e6a025a90504b2bdfa73f18/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2020-10-26 03:18:00 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=itndjskpupa7xr36jumkornrawo3hannjzvaewuqkbfsxx5hh4ma._file
Verdict:
suspicious
Similar samples:
092e73bea3484930380103be58ee944d620e754cfbd579e68c1fee773a478b7e
GuLoader
0a9055100b10ba145a65334aa2b316bc30722cd75539c6dcca168da6263040a6
GuLoader
3f2c710a97bb42579ee2f9956437ff160a68bd787439fbc025ab3d6b46076d34
GuLoader
448379f1a0a59fa0a84180351e48559c9ed7ea6875cdd525782b714a77a2fff9
GuLoader
7d37b86ad0cb4b99038a10d6f95febfd7d1e096ab7ba28c6c02ada2b128873bf
GuLoader
8a91203698a5589c1787d9fb31dbbc30ab3229a6aee56992f9186a4d4fc4ae2c
GuLoader
9d4abcc57a7136faf706c30c8d644f1ac7b38a2adcff37072a4a7c356d2b8d57
GuLoader
d53bb8e4561477133b4510eda133bf0740c854c587f1e3d5a676c9db33e9f818
GuLoader
d7a99f24befa69ac2bae23e028ef9342211ed018495b34b92b9e89448532584a
GuLoader
f0b159a704857b45d6336160191150963d48aa792341b9a38834fb99881c8d31
GuLoader
+ 2'702 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201026-emwltwrvy2/
Behaviour
Suspicious use of SetWindowsHookEx
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

rar 545613b2c72fd2a91a2a4e9e331484cfaa2a9cb4903c2651090afa034a133211

GuLoader

Executable exe 44da34c94fa3c1fbc77e4d18a745b1059db381ad4e6a025a90504b2bdfa73f18

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/750731/
  
Dropped by
MD5 7f7007891704ed717d822a61800b0e15
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 545613b2c72fd2a91a2a4e9e331484cfaa2a9cb4903c2651090afa034a133211
Cape
Cape
https://www.capesandbox.com/analysis/79143/

Comments