MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 726156ccca0ba0077df20db0e438db482c7197d69453b890332ed69a9e509352. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 726156ccca0ba0077df20db0e438db482c7197d69453b890332ed69a9e509352
SHA3-384 hash: 58ffa4f844de0f32e80c1fa6c474001f1b8039332ea55dc393535b22a19e441d009d74f9b8f830ef4cc70629c83a3620
SHA1 hash: c199e9589a033335697359b13302efa2f1787687
MD5 hash: 3085617089f02c7b6fceb69bfac9bdab
humanhash: violet-louisiana-whiskey-hot
File name:SCAN123432345432_PDF.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:81'920 bytes
First seen:2020-08-19 07:25:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c8149470224a75976a8a826a88225a14 (13 x GuLoader, 1 x FormBook, 1 x Loki)
ssdeep 768:QpqtIehDVAJm7uHitvIZqXIFxZiqmc2gRpBlxRIi5fkAM56tbBjb0b4ehWt:/CaDVAWvIZtS7yXIilyyib4aW
Threatray 81 similar samples on MalwareBazaar
TLSH 73835C59B0C8A6F1F26C8A745B754FF900EE6C745942CF0378DC3D5A2A7AA05CE28327
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: gaia.acosis.net
Sending IP: 194.143.219.142
From: ismail dawar <ismail@dekkosiho.com>
Subject: Re: QUOTATION REF NO:234245435
Attachment: SCAN123432345432_PDF.GZ (contains "SCAN123432345432_PDF.exe")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=1ozjtLe327RbhxQ4ylHTa5CyRae0DyfFM

Intelligence

File Origin
# of uploads :
1
# of downloads :
262
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/48274/
Detection(s):
SecuriteInfo.com.Trojan.KillProc2.11384.31914.1631.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Creating a file
DNS request
Sending a custom TCP request
Setting a single autorun event
Unauthorized injection to a system process
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/436744
Signature
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Tries to detect Any.run
Writes to foreign memory regions
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 270724 Sample: SCAN123432345432_PDF.exe Startdate: 19/08/2020 Architecture: WINDOWS Score: 72 38 Yara detected GuLoader 2->38 40 Initial sample is a PE file and has a suspicious name 2->40 42 Yara detected VB6 Downloader Generic 2->42 7 SCAN123432345432_PDF.exe 1 2->7         started        10 PICTURE.exe 1 2->10         started        12 PICTURE.exe 1 2->12         started        process3 signatures4 44 Writes to foreign memory regions 7->44 46 Tries to detect Any.run 7->46 48 Hides threads from debuggers 7->48 14 RegAsm.exe 1 15 7->14         started        18 RegAsm.exe 7->18         started        20 RegAsm.exe 7->20         started        28 2 other processes 7->28 22 RegAsm.exe 14 10->22         started        24 RegAsm.exe 10->24         started        26 RegAsm.exe 14 12->26         started        process5 file6 36 C:\Users\user\subfolder1\PICTURE.exe, PE32 14->36 dropped 50 Tries to detect Any.run 14->50 52 Hides threads from debuggers 14->52 30 conhost.exe 14->30         started        54 Contains functionality to hide a thread from the debugger 18->54 32 conhost.exe 22->32         started        34 conhost.exe 26->34         started        signatures7 process8
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/726156ccca0ba0077df20db0e438db482c7197d69453b890332ed69a9e509352/
Threat name:
Win32.Infostealer.PonyStealer
Create hunting rule
Status:
Malicious
First seen:
2020-08-19 01:45:54 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ojqvntgkboqao7psbwyoiog3jawhdf6wsrj3rebtf3ljvhsqsnja._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
102a406e2b148d3dff10dc067b37c4cfbe7594c9e10dc3dc2d3b13b3c908678e
GuLoader
14885a4bfd76cdb49db108d03ce3a8c88c301c786eed577606aaacc49d673bfa
GuLoader
4cab1aacfb805a94301d5f14ff07c8a4c07cef2b81897c19fd35a04c5cfe2b68
GuLoader
4e49f8ed15a69e1147ae9428c9e5b4d4aa928769f261627abc059d2060e94a6b
GuLoader
4e7757f18ae0c6aeac44ed49de53657e81d46474c75c431b291e3e5712b94045
GuLoader
51b6201307ef68d78bb4c84f7991e2fbb1c616b6933985f56e692f8e18bcb1b5
GuLoader
6617979630def30c8a103baceedd1ddb972a53b984de91682aa93451faf833bb
GuLoader
7848e6e1c38a88fffa92f4ef02ecbf2ac332f2c12a42b04f6d0ac186ad815c21
GuLoader
d9073504ba97540b65006d851251f330bcfb130500daad9a7f8616cb5a6a9ba0
GuLoader
fd70366a0abed417301e2a312927e5697e8ded01a50c830b408978fb61ff9241
GuLoader
+ 71 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/200819-shq5xc6h4e/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/726156ccca0ba0077df20db0e438db482c7197d69453b890332ed69a9e509352

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

gz 997d62372543bf19d6df7e44fb492822d0d35b40f4a7875430ee36cb6a8a18ce

GuLoader

Executable exe 726156ccca0ba0077df20db0e438db482c7197d69453b890332ed69a9e509352

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/435486/
  
Dropped by
MD5 3fc1e6984096092d530a4a935b0dabca
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/48274/
  
Dropped by
SHA256 997d62372543bf19d6df7e44fb492822d0d35b40f4a7875430ee36cb6a8a18ce

Comments