MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a7106c3175b71d4771f9e03d3c17db04b882e7f0e05195595da449eaa5a940b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6a7106c3175b71d4771f9e03d3c17db04b882e7f0e05195595da449eaa5a940b
SHA3-384 hash: 8ac97ff4d50f0613daa152a48b0b858543023a5209a772522f69a3d49c3140b76a26a35332049a8b635adb229609cb89
SHA1 hash: 1e70058debb8f71cf3db24e3e71089f2d00054dd
MD5 hash: 530762fcff215156c027b56b67d8d536
humanhash: earth-colorado-stream-wyoming
File name:over.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:131'072 bytes
First seen:2020-08-06 11:44:02 UTC
Last seen:2020-08-06 14:06:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8235f17ca62fddfc490297d5c04d4a69 (2 x GuLoader)
ssdeep 1536:WX8ScIFzRP5HadNyNDbSSoS8m1jIbLA57IUvzOktbQ:M845afyNRoS8HqtbQ
Threatray 5'689 similar samples on MalwareBazaar
TLSH 1BD3F7215CB2ED63F80DD8B1175242A51826ADF4410EC90F39DD788A17BA4C39BA5FE3
Reporter James_inthe_box
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
3
# of downloads :
141
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/41078/
Detection(s):
SecuriteInfo.com.Gen.NN.ZevbaCO.34152.im0@aCgL@8oi.9846.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
DNS request
Sending a custom TCP request
Creating a file
Deleting a recently created file
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/413789
Signature
Benign windows process drops PE files
Contains functionality to hide a thread from the debugger
Detected FormBook malware
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 259325 Sample: over.exe Startdate: 06/08/2020 Architecture: WINDOWS Score: 100 43 www.samachaarworld.com 2->43 45 whxyea.am.files.1drv.com 2->45 47 onedrive.live.com 2->47 61 Malicious sample detected (through community Yara rule) 2->61 63 Yara detected GuLoader 2->63 65 Yara detected Generic Dropper 2->65 67 3 other signatures 2->67 11 over.exe 1 1 2->11         started        signatures3 process4 signatures5 85 Tries to detect Any.run 11->85 87 Tries to detect virtualization through RDTSC time measurements 11->87 89 Hides threads from debuggers 11->89 91 Contains functionality to hide a thread from the debugger 11->91 14 over.exe 6 11->14         started        process6 dnsIp7 55 192.168.2.1 unknown unknown 14->55 57 whxyea.am.files.1drv.com 14->57 59 onedrive.live.com 14->59 93 Modifies the context of a thread in another process (thread injection) 14->93 95 Tries to detect Any.run 14->95 97 Maps a DLL or memory area into another process 14->97 99 3 other signatures 14->99 18 explorer.exe 4 6 14->18 injected signatures8 process9 dnsIp10 49 yourexecutivesolutions.com 46.235.40.60, 49739, 80 A2BNL Netherlands 18->49 51 www.yourexecutivesolutions.com 18->51 53 2 other IPs or domains 18->53 37 C:\Users\user\AppData\...\9r14huhqx18.exe, PE32 18->37 dropped 69 System process connects to network (likely due to code injection or exploit) 18->69 71 Benign windows process drops PE files 18->71 23 msiexec.exe 1 17 18->23         started        27 9r14huhqx18.exe 1 18->27         started        29 9r14huhqx18.exe 1 18->29         started        file11 signatures12 process13 file14 39 C:\Users\user\AppData\...\38Nlogrv.ini, data 23->39 dropped 41 C:\Users\user\AppData\...\38Nlogri.ini, data 23->41 dropped 73 Detected FormBook malware 23->73 75 Tries to steal Mail credentials (via file access) 23->75 77 Tries to harvest and steal browser information (history, passwords, etc) 23->77 83 3 other signatures 23->83 31 cmd.exe 1 23->31         started        79 Tries to detect Any.run 27->79 81 Hides threads from debuggers 27->81 33 9r14huhqx18.exe 27->33         started        signatures15 process16 process17 35 conhost.exe 31->35         started       
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6a7106c3175b71d4771f9e03d3c17db04b882e7f0e05195595da449eaa5a940b/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2020-08-06 11:43:56 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=njyqnqyxlny5i5y7tyb5hql5wbfyqlt7bycrsvmv3jcj5ks2sqfq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
3e98d7f59e495ddfa5140a50f70347bb4a56296ca2dcb6602f65ebb4e4a0373b
GuLoader
590fde182a154cd89b15d88546d60351b9fecb51e04fbbf4affd8d49a618bd23
GuLoader
6f827b68129d30609057c2e6b36be05649fce91d6bc8ee3d3566ca5c6aba562b
GuLoader
9b2c6f08cd9a4e3b144422de4d540290542ce50239f2c85697a036a461b25264
GuLoader
b042e4bdfe19df2aa474fd5e2294aecc9a07d447c96466db7a7e20316d885634
GuLoader
b57c9384280389b262d09cb4fa5b5465aadd4aaba2afb6d48c5d6e7c3f8d923e
GuLoader
c7544c2d4180660fc3a96f3b66b5caa0e168dcfbb35a870f1c576a152ed62348
GuLoader
d3664113994262962936ebe74d0355986970def0cd0bcdcf088fe102047df9ba
GuLoader
e13acda03eb4829793beb5c0664d5752663b7ef5ae72b63724e7eaf189a9fec4
GuLoader
e273d82c782a01c388cc619e6832bfb43301f4308884751b9393262302fc84c0
GuLoader
+ 5'679 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook persistence evasion
Link:
https://tria.ge/reports/200806-q66g2m82dx/
Behaviour
System policy modification
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Reads user/profile data of web browsers
Deletes itself
Adds policy Run key to start application
Formbook Payload
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.52
Link:
https://yomi.yoroi.company/submissions/6a7106c3175b71d4771f9e03d3c17db04b882e7f0e05195595da449eaa5a940b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/41078/
  
URLhaus
https://urlhaus.abuse.ch/url/426322/

Comments