MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d0dfe01c27dfd2c35464a3f435cfb4cad6e996d6fc407cc8f10fc0b3d0692fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4d0dfe01c27dfd2c35464a3f435cfb4cad6e996d6fc407cc8f10fc0b3d0692fe
SHA3-384 hash: b29d7b38e0ac4838c924074edf7aebc26a23a6200a1b9fed9415289362ae568efb3630e43c08e137da7bf373a7b48af4
SHA1 hash: a7a897ed27ce16d1b512f0109a078bb56c391af6
MD5 hash: 903aec13bbbd009c94a8179673cb10e1
humanhash: speaker-pennsylvania-grey-enemy
File name:FedEx_Shipment AWB & Receipt.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:73'728 bytes
First seen:2020-06-04 15:54:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8b96c63053885b9cd368b2968e25d2d9 (1 x GuLoader)
ssdeep 1536:f2C4XKxWfF14xzJcg2ATNSm/gn0RwFWnQ:fg6xQQkfm/gn0OZ
Threatray 1'034 similar samples on MalwareBazaar
TLSH 65733942A1A4EE70E51442F08E3166F8016B7C34D861C9376B357E2A3B73E9A617F71B
Reporter abuse_ch
Tags:exe FedEx GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: slot0.acthrous.com
Sending IP: 45.95.169.133
From: "FedEx" <fedExparcel@fedex.com>
Subject: Your Shipment is ready - FedEx
Attachment: FedEx_Shipment AWB Receipt.gz (contains "FedEx_Shipment AWB & Receipt.exe")

GuLoader payload URL:
https://onedrive.live.com/download?cid=8D14D74EB13B02D0&resid=8D14D74EB13B02D0%21165&authkey=AK9xKR3bSwK3PSo

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/6570/
Gathering data
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2020-06-04 12:01:42 UTC
AV detection:
22 of 31 (70.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jug74aocpx6synkgji7ugxh3jsww5glnn7captepcd6awpigsl7a._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
guloader
Create hunting rule
Similar samples:
0c017b57d7f1cbfa01f54deb15b7f04b8923acd4585435050589b1762856247e
GuLoader
3df464cdb09ec8aed7589b31541a291c9b921f49b2cc97aa34d363161366db8a
GuLoader
460aa0fd440b1acb5aa90b5667d4c387494f6622014e5d4115b1e3b6b080c5c0
GuLoader
844fb0d61ff2be56043914797b2e0123e111f616bbd743e3ecfee5c340651146
GuLoader
a07051295b50dfe762f42e922f6815e4554ae1b392da5810b88893cb91ac3b7e
GuLoader
a1eec13238d8aeff47e2544402482dae53aed3617e73a5e757746db56cc3f353
GuLoader
c76654971c4af60511d3583a3bd00c673904569aa93973687e14e95b9e80de6f
GuLoader
d3aa9fd1ed4af3cc3a49e612b93a03f799ada340c1c086f7403448fe77115bb1
GuLoader
e7cf4a0d3f94afea480bf5e64a658029d02191330244697ba9afd81dd5b56386
GuLoader
ecbbdea89347df30a9575353b8886499a88d30f5606f60c922c62e4a56637c74
GuLoader
+ 1'024 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer persistence rat
Link:
https://tria.ge/reports/201109-tf6kvyt5je/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
ServiceHost packer
WarzoneRat, AveMaria
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip 224b898c44e6f1702b7839cae70e8163b19ac32bda677c41977cdfffca201d00

GuLoader

Executable exe 4d0dfe01c27dfd2c35464a3f435cfb4cad6e996d6fc407cc8f10fc0b3d0692fe

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/379331/
  
Dropped by
MD5 3a6566ccbaf0a12d1a587dcbbf44b990
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 224b898c44e6f1702b7839cae70e8163b19ac32bda677c41977cdfffca201d00
Cape
Cape
https://www.capesandbox.com/analysis/6570/

Comments