MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 45310ab9b43a84346d6c41c5286fab15c4921920461aa2c58ecf375d6070d4ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 45310ab9b43a84346d6c41c5286fab15c4921920461aa2c58ecf375d6070d4ef
SHA3-384 hash: e21f3bb875b8cfd8d6dcfe9128b9e4760485f7f064d3649f10a763972e95d9fbe542b6ed3138a0afe8aeda7606f28a67
SHA1 hash: bf241ae6487f1fcedf9d847acda884ee53f75099
MD5 hash: 2f41e0a47ad4524390eae2253eba490d
humanhash: wolfram-london-glucose-ack
File name:Invoice Jpg jpg jpg jpg.scr
Download: download sample
Signature GuLoader
Create hunting rule
File size:90'112 bytes
First seen:2020-08-19 12:21:33 UTC
Last seen:2020-08-19 12:45:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c8149470224a75976a8a826a88225a14 (13 x GuLoader, 1 x FormBook, 1 x Loki)
ssdeep 768:64mKGuKQmzp4TWR97A59dBg4OkSwSXyjx2WpLIrK087qCTaVRV5/XN0ecHt:7VGjhRxg9xOfCj3aTWqCTaVR109t
Threatray 17 similar samples on MalwareBazaar
TLSH 18934A86E18486F9F76957B04A310EF500EF7D38E8A0D907B4C8B8A57BB7A41457633B
Reporter abuse_ch
Tags:GuLoader scr


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: slot0.ricksaezp.com
Sending IP: 104.168.173.112
From: info@ricksaezp.com
Reply-To: info@ricksaezp.com
Subject: ATTACHED FILE PRODUCTS NEEDED PLEASE
Attachment: Product_Me_Order_Pictures _pdf.zip (contains "Invoice Jpg jpg jpg jpg.scr")

GuLoader payload URL:
https://onedrive.live.com/download?cid=7F7C3987A4C50581&resid=7F7C3987A4C50581%21107&authkey=ANYfyUUreqQVIdc

Intelligence

File Origin
# of uploads :
2
# of downloads :
264
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/48494/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.34383264.16792.27037.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Creating a file
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Creating a process from a recently created file
Searching for the window
Deleting a recently created file
Setting a global event handler
Setting a single autorun event
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Unauthorized injection to a system process
Result
Threat name:
Ardamax GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/437908
Signature
Contains functionality to hide a thread from the debugger
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Executable has a suspicious name (potential lure to open the executable)
Hides threads from debuggers
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Initial sample is a PE file and has a suspicious name
Installs a global get message hook
Installs a global keyboard hook
Modifies the prolog of user mode functions (user mode inline hooks)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect Any.run
Writes to foreign memory regions
Yara detected Ardamax
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 271444 Sample: Invoice Jpg jpg jpg jpg.scr Startdate: 20/08/2020 Architecture: WINDOWS Score: 100 56 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->56 58 Yara detected GuLoader 2->58 60 Yara detected Ardamax 2->60 62 5 other signatures 2->62 8 Invoice Jpg jpg jpg jpg.exe 1 2->8         started        11 Hopeless.scr 1 2->11         started        13 Hopeless.scr 1 2->13         started        15 TSH.exe 2->15         started        process3 signatures4 82 Writes to foreign memory regions 8->82 84 Tries to detect Any.run 8->84 86 Hides threads from debuggers 8->86 17 RegAsm.exe 1 18 8->17         started        22 RegAsm.exe 14 11->22         started        24 RegAsm.exe 14 13->24         started        process5 dnsIp6 48 landzro365groupe.com 192.64.118.122, 443, 49724, 49725 NAMECHEAP-NETUS United States 17->48 50 onedrive.live.com 17->50 38 C:\Users\user\designs.exe, PE32+ 17->38 dropped 40 C:\Users\user\COCKMASTER\Hopeless.scr, PE32 17->40 dropped 64 Creates autostart registry keys with suspicious values (likely registry only malware) 17->64 66 Creates multiple autostart registry keys 17->66 68 Drops PE files to the user root directory 17->68 74 2 other signatures 17->74 26 designs.exe 14 17->26         started        29 conhost.exe 17->29         started        52 onedrive.live.com 22->52 31 conhost.exe 22->31         started        54 onedrive.live.com 24->54 70 Tries to detect Any.run 24->70 72 Hides threads from debuggers 24->72 33 conhost.exe 24->33         started        file7 signatures8 process9 file10 42 C:\ProgramData\QQOFCC\TSH.exe, PE32+ 26->42 dropped 44 C:\ProgramData\QQOFCC\TSH.02, PE32+ 26->44 dropped 46 C:\ProgramData\QQOFCC\TSH.01, PE32+ 26->46 dropped 35 TSH.exe 1 15 26->35         started        process11 signatures12 76 Creates multiple autostart registry keys 35->76 78 Installs a global get message hook 35->78 80 Installs a global keyboard hook 35->80
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/45310ab9b43a84346d6c41c5286fab15c4921920461aa2c58ecf375d6070d4ef/
Threat name:
Win32.Infostealer.PonyStealer
Create hunting rule
Status:
Malicious
First seen:
2020-08-18 14:32:16 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=iuyqvonuhkcdi3lmihcsq35lcxcjegjaiynkfrmoz43v2ydq2txq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
6a07e270c189e9059526fc2570c7e4039f1140115e2f8544bba2b6f5923ac2ce
GuLoader
726156ccca0ba0077df20db0e438db482c7197d69453b890332ed69a9e509352
GuLoader
784de198ef93d833ca1fee15a525d646a632e33e82f69f113d9c79f9bce94dfa
GuLoader
7c3b056caf85497f39a72bcdde137abc70b81612496a358a8627fd4994f84203
GuLoader
9bebd6b8400a02ec36958c8cf06d3abc659b462d482fca3df8a3a64e42b3e234
GuLoader
c2fad0ca69171eabf05cff3020af18e45b34558b660e5197bdb4c0c072c9cdde
GuLoader
d2b7389c9dd63fb1b147537c52572bbc09bec5c080474000e113b31aa249388a
GuLoader
d48bd7c50cc69b4f73766563fde6a1444b64a725acb7b988e75bdc54b945d383
GuLoader
fd70366a0abed417301e2a312927e5697e8ded01a50c830b408978fb61ff9241
GuLoader
ffe68860d3d4320a2152bb2f3a636eb0f484f9f81a14b112c5f349b7c3d79f76
GuLoader
+ 7 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/200819-spdldfc6bj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
JavaScript code in executable
Loads dropped DLL
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/45310ab9b43a84346d6c41c5286fab15c4921920461aa2c58ecf375d6070d4ef

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip 2816b4cb7c5d8b87d1d56e855af0a2dba02782b7e6ac375a0ef41e1226147156

GuLoader

Executable exe 45310ab9b43a84346d6c41c5286fab15c4921920461aa2c58ecf375d6070d4ef

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/436058/
  
Dropped by
MD5 a95e94aa91e2c6cddbbbc018572ee46b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/48494/
  
Dropped by
SHA256 2816b4cb7c5d8b87d1d56e855af0a2dba02782b7e6ac375a0ef41e1226147156

Comments