MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4da47222e28694a7cada3ff481647d1d2cc1b9f085414069660964f951a0b78c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4da47222e28694a7cada3ff481647d1d2cc1b9f085414069660964f951a0b78c
SHA3-384 hash: c1f02be1f4b7ca905258463cca4fcd033ef0e3dca47f27a46cec02c26f4a0222b9ce349da3109137f79e1d3f0dd56cac
SHA1 hash: bc050128080b2b8fbe1f4596bf3f9a5538039642
MD5 hash: 51969c64f3d0af7c6690ab61fd0e50a2
humanhash: video-hot-floor-east
File name:견적 품목 리스트.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:53'248 bytes
First seen:2020-10-22 06:50:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1391adc08b741e0301376eeb35b26b04 (2 x GuLoader)
ssdeep 768:I14KSj1LU/mWDS5HPMCHm9ORAx1dYlVqrPIGDB:ISKULrWDS5LHmE6x1dYWZ
Threatray 2'695 similar samples on MalwareBazaar
TLSH 82338C56F085AB71F29D4AB00A218BF81677BD3409508E2BB54C3F9E3936CCD8CB6319
Reporter abuse_ch
Tags:exe geo GuLoader KOR


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: mail-smail-vm87.hanmail.net
Sending IP: 211.231.106.162
From: 한석 이엔지 <skp2828@hanmail.net>
Subject: 첨부도면 견적요청 드립니다.(한석이엔지 입니다.)
Attachment: 견적 품목 리스트.lzh (contains "견적 품목 리스트.exe")

GuLoader payload URL:
https://onedrive.live.com/download?cid=DC4CBECBD0F5214C&resid=DC4CBECBD0F5214C%21162&authkey=ABlaO8h4FZZ6tg8

Intelligence

File Origin
# of uploads :
1
# of downloads :
158
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/74484/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Result
Threat name:
FormBook GuLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/506703
Signature
Contains functionality to hide a thread from the debugger
Creates autostart registry keys with suspicious values (likely registry only malware)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Potential malicious icon found
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 302528 Sample: #Uacac#Uc801 #Ud488#Ubaa9 #... Startdate: 22/10/2020 Architecture: WINDOWS Score: 100 64 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->64 66 Potential malicious icon found 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 12 other signatures 2->70 12 #Uacac#Uc801 #Ud488#Ubaa9 #Ub9ac#Uc2a4#Ud2b8.exe 1 1 2->12         started        15 wscript.exe 2->15         started        process3 signatures4 98 Creates autostart registry keys with suspicious values (likely registry only malware) 12->98 100 Tries to detect Any.run 12->100 102 Hides threads from debuggers 12->102 17 #Uacac#Uc801 #Ud488#Ubaa9 #Ub9ac#Uc2a4#Ud2b8.exe 4 12->17         started        21 filename1.exe 1 15->21         started        process5 file6 46 C:\Users\user\AppData\Local\...\filename1.exe, PE32 17->46 dropped 48 C:\Users\user\AppData\Local\...\filename1.vbs, ASCII 17->48 dropped 72 Tries to detect Any.run 17->72 74 Hides threads from debuggers 17->74 23 filename1.exe 1 17->23         started        26 filename1.exe 7 21->26         started        signatures7 process8 dnsIp9 84 Machine Learning detection for dropped file 23->84 86 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 23->86 88 Tries to detect Any.run 23->88 96 2 other signatures 23->96 29 filename1.exe 7 23->29         started        56 wsx5ug.am.files.1drv.com 26->56 58 onedrive.live.com 26->58 90 Modifies the context of a thread in another process (thread injection) 26->90 92 Maps a DLL or memory area into another process 26->92 94 Sample uses process hollowing technique 26->94 signatures10 process11 dnsIp12 60 wsx5ug.am.files.1drv.com 29->60 62 onedrive.live.com 29->62 104 Modifies the context of a thread in another process (thread injection) 29->104 106 Tries to detect Any.run 29->106 108 Maps a DLL or memory area into another process 29->108 110 3 other signatures 29->110 33 explorer.exe 29->33 injected signatures13 process14 dnsIp15 50 jb4tw3nty.com 34.102.136.180, 49737, 80 GOOGLEUS United States 33->50 52 www.jb4tw3nty.com 33->52 54 2 other IPs or domains 33->54 76 System process connects to network (likely due to code injection or exploit) 33->76 37 NETSTAT.EXE 33->37         started        40 rundll32.exe 33->40         started        signatures16 process17 signatures18 78 Modifies the context of a thread in another process (thread injection) 37->78 80 Maps a DLL or memory area into another process 37->80 82 Tries to detect virtualization through RDTSC time measurements 37->82 42 cmd.exe 1 37->42         started        process19 process20 44 conhost.exe 42->44         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4da47222e28694a7cada3ff481647d1d2cc1b9f085414069660964f951a0b78c/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2020-10-22 00:41:01 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jwsheixcq2kkpsw2h72iczd5duwmdopqqvaua2lgbfspsunaw6ga._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
0cf5cda3657648c661cd0cb58e06e6ccb488d66e27cda1102121eb2572053bdd
GuLoader
1ea315e9248f2e83decd8b9a73335ce654e787c42083c6e21566cd9bc2f93eed
GuLoader
26d95099636e212fccb35c4865a6aaee393079698b6c3a6f0a07ef2960a845b0
GuLoader
2e6f9c96b9332cdb7bafa068de6591e073bc8255d37f22f08a796f77f9d3d63f
GuLoader
6a5303bb0ea9067e348cb7bee1db4740682b5a3e37822d09d9b80783f64a5569
GuLoader
923fb7b3ff414a712d72ebe1d904806a0ae7a3d026d1275553dfa8e6a10fcee7
GuLoader
97d8ae62cb751e857b04d9eaa68ee2acce3d7243009bdb04639a729cdfc7cbf3
GuLoader
a1817ff59a466c2c67ff443922da2ea3e4c67b8ed1a5e67c44a0fc4faa8956b9
GuLoader
dd95ca4e9ebb20cd4d2e26adfded37285e4321ef95bcee7dd0bbaf309eac8a38
GuLoader
fcb020fc827bf432792feef13068e8094ae0dd1f201fa398a360eecf6216630b
GuLoader
+ 2'685 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201022-pnxezef796/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
4da47222e28694a7cada3ff481647d1d2cc1b9f085414069660964f951a0b78c
MD5 hash:
51969c64f3d0af7c6690ab61fd0e50a2
SHA1 hash:
bc050128080b2b8fbe1f4596bf3f9a5538039642
Link:
https://www.unpac.me/results/055df381-1d0a-4da5-ab1e-85ca4704d498/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

rar 8aaa5995b949475a53933c0acdb9d9d08db2830cfecd903a0d08e6a1478af81b

GuLoader

Executable exe 4da47222e28694a7cada3ff481647d1d2cc1b9f085414069660964f951a0b78c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/733036/
  
Dropped by
MD5 2e2325507c466477200eecbec6c9f1d0
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/74484/
  
Dropped by
SHA256 8aaa5995b949475a53933c0acdb9d9d08db2830cfecd903a0d08e6a1478af81b

Comments