MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6386bdea82bd60270722ec90ff6b09ac7a41f342fcb2ef0bd6217900c8e3afc2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6386bdea82bd60270722ec90ff6b09ac7a41f342fcb2ef0bd6217900c8e3afc2
SHA3-384 hash: 622d8b12de900cf254b9ae3b2ecac08d5d3e50bdac60a8546207b2f0dc889685d4c80755473ebd96cef37f255e8d4b30
SHA1 hash: 6530d699a5a5c8f5f45fba5d8a11befb725b7b8f
MD5 hash: ac54893fedebf8e6272ee428cb27bb4c
humanhash: skylark-item-cardinal-six
File name:GENNEMSN.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:110'592 bytes
First seen:2020-08-06 14:06:10 UTC
Last seen:2020-08-06 17:08:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 80fbe96279e52c846f53f97d5ffabfca (3 x GuLoader)
ssdeep 1536:VjKuTidq4tx/ZuCpvcGM5goxjQJS74FhOPPpL:VjPO53gCpvU5thl2hcV
Threatray 5'380 similar samples on MalwareBazaar
TLSH 7AB3D81368D49D73D9BA9AF0993250D02812ACFDD581570369E33C8EDEF2099B9E235F
Reporter JAMESWT_WT
Tags:GuLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
135
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/41259/
Detection(s):
SecuriteInfo.com.BScope.TrojanSpy.Noon.13261.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Result
Threat name:
FormBook GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/414068
Signature
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect Any.run
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 259425 Sample: GENNEMSN.exe Startdate: 07/08/2020 Architecture: WINDOWS Score: 100 28 www.limitedtshirt.com 2->28 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Yara detected GuLoader 2->40 42 5 other signatures 2->42 11 GENNEMSN.exe 1 2->11         started        signatures3 process4 signatures5 50 Tries to detect Any.run 11->50 52 Tries to detect virtualization through RDTSC time measurements 11->52 54 Hides threads from debuggers 11->54 56 Contains functionality to hide a thread from the debugger 11->56 14 GENNEMSN.exe 6 11->14         started        process6 dnsIp7 34 securedfilestransfer.com 198.187.29.65, 443, 49725, 49726 NAMECHEAP-NETUS United States 14->34 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Tries to detect Any.run 14->60 62 Maps a DLL or memory area into another process 14->62 64 3 other signatures 14->64 18 explorer.exe 14->18 injected signatures8 process9 dnsIp10 30 www.nochnoykoyot.com 18->30 32 www.isra.holdings 18->32 21 svchost.exe 18->21         started        process11 signatures12 44 Modifies the context of a thread in another process (thread injection) 21->44 46 Maps a DLL or memory area into another process 21->46 48 Tries to detect virtualization through RDTSC time measurements 21->48 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6386bdea82bd60270722ec90ff6b09ac7a41f342fcb2ef0bd6217900c8e3afc2/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2020-08-06 14:00:21 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=modl32ucxvqcobzc5sip62yjvr5ed42c7szo6c6wef4qbshdv7ba._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
08fd08ac92e87f077dfa77ab5cbe48dccb7ffc87cd338a6451b884d42fa6306b
GuLoader
0951d8c7c31922177bfac1849388cf7e947d6e51ccbf936c7edd1e6d7c44da9d
GuLoader
30bbf2043054b92e495bbd55f67e43b8eafce430bf31d8aaa4899385e503cdbe
GuLoader
3e98d7f59e495ddfa5140a50f70347bb4a56296ca2dcb6602f65ebb4e4a0373b
GuLoader
5ea463243b051351c219469515fb9b39d01c5c3c4f4698bd6164e36070622d35
GuLoader
6f827b68129d30609057c2e6b36be05649fce91d6bc8ee3d3566ca5c6aba562b
GuLoader
9b2c6f08cd9a4e3b144422de4d540290542ce50239f2c85697a036a461b25264
GuLoader
b042e4bdfe19df2aa474fd5e2294aecc9a07d447c96466db7a7e20316d885634
GuLoader
b05998bc4d111c80719ab38c75918662f8151fd5e5e223cdc90f0d97caad3b6e
GuLoader
d3664113994262962936ebe74d0355986970def0cd0bcdcf088fe102047df9ba
GuLoader
+ 5'370 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook persistence evasion
Link:
https://tria.ge/reports/200806-qcl328b9g2/
Behaviour
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Gathers network information
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Deletes itself
Reads user/profile data of web browsers
Formbook Payload
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Noon
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/6386bdea82bd60270722ec90ff6b09ac7a41f342fcb2ef0bd6217900c8e3afc2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe 6386bdea82bd60270722ec90ff6b09ac7a41f342fcb2ef0bd6217900c8e3afc2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/426325/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/41259/

Comments