MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 72eb2dc730e3574dcb204d37fcfb35cf91bacd8087d6028d743cb0992c874244. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 72eb2dc730e3574dcb204d37fcfb35cf91bacd8087d6028d743cb0992c874244
SHA3-384 hash: de96638d44dcfc639ee3c601bd3d32625d36caca3a350efa48f2589e663adc1e2e56cf3a6c2804ebd7a7960f114868ae
SHA1 hash: 3e15363d240a923eaa11165b31e9b4d879407f12
MD5 hash: 6ffa25db7a99e5438888579603d1d91f
humanhash: robert-juliet-red-social
File name:order.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:81'920 bytes
First seen:2020-06-05 13:41:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ee621df0c174f6b5cbd987354b1eb7d0 (1 x GuLoader)
ssdeep 768:BboOZ5X7IYkCOQCRww+Kb4fUk+N+TzwbTNaJA1mvdhkiqcGDjH9DS3M6nNWfQ/F3:doODrdLtwXlOwDwvkCcl6nNW4/FqeEN
Threatray 5'849 similar samples on MalwareBazaar
TLSH 2E838C07BD1C8583D05906B82D13AED92E16EC684841DF5B6608BF8EFC753936CDAA1F
Reporter abuse_ch
Tags:exe geo GuLoader KOR


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: server.ecomotorhk.com
Sending IP: 162.144.56.225
From: 이규철 <gyuchul@hec.co.kr>
Reply-To: gyuchul@hec.co.kr
Subject: [Hyundai Engineering] Solicit of Interest (SOI) & PQ Documentation Request for BATANGAS Integrated LNG & Power Plant Project, Philippines
Attachment: 4.Company Profile.img (contains "order.exe")

GuLoader payload URL:
http://149.255.36.133/bin_PqLAqQjAza233.bin

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/6707/
Detection(s):
SecuriteInfo.com.Win32.Injector.EMGX.32284.UNOFFICIAL
Create hunting rule

Result
Threat name:
FormBook GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/368805
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 236372 Sample: order.exe.vir Startdate: 08/06/2020 Architecture: WINDOWS Score: 100 76 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->76 78 Multi AV Scanner detection for domain / URL 2->78 80 Malicious sample detected (through community Yara rule) 2->80 82 14 other signatures 2->82 10 order.exe.exe 1 2->10         started        process3 signatures4 102 Contains functionality to detect hardware virtualization (CPUID execution measurement) 10->102 104 Tries to detect virtualization through RDTSC time measurements 10->104 106 Hides threads from debuggers 10->106 108 Contains functionality to hide a thread from the debugger 10->108 13 order.exe.exe 6 10->13         started        process5 dnsIp6 64 149.255.36.133, 49733, 49739, 49740 unknown Netherlands 13->64 110 Modifies the context of a thread in another process (thread injection) 13->110 112 Maps a DLL or memory area into another process 13->112 114 Sample uses process hollowing technique 13->114 118 2 other signatures 13->118 17 explorer.exe 3 6 13->17 injected signatures7 116 Tries to resolve many domain names, but no domain seems valid 64->116 process8 dnsIp9 58 www.yfur.ltd 17->58 60 www.writusp.com 17->60 62 20 other IPs or domains 17->62 50 C:\Users\user\AppData\...\olotql9xtrtpnd.exe, PE32 17->50 dropped 84 System process connects to network (likely due to code injection or exploit) 17->84 86 Benign windows process drops PE files 17->86 22 control.exe 1 19 17->22         started        26 olotql9xtrtpnd.exe 1 17->26         started        28 olotql9xtrtpnd.exe 1 17->28         started        30 4 other processes 17->30 file10 88 Tries to resolve many domain names, but no domain seems valid 60->88 signatures11 process12 file13 52 C:\Users\user\AppData\...\8MNlogrv.ini, data 22->52 dropped 54 C:\Users\user\AppData\...\8MNlogri.ini, data 22->54 dropped 56 C:\Users\user\AppData\...\8MNlogrf.ini, data 22->56 dropped 90 Detected FormBook malware 22->90 92 Tries to steal Mail credentials (via file access) 22->92 94 Tries to harvest and steal browser information (history, passwords, etc) 22->94 100 2 other signatures 22->100 32 cmd.exe 2 22->32         started        36 cmd.exe 1 22->36         started        96 Hides threads from debuggers 26->96 38 olotql9xtrtpnd.exe 6 26->38         started        40 olotql9xtrtpnd.exe 6 28->40         started        98 Tries to detect virtualization through RDTSC time measurements 30->98 42 olotql9xtrtpnd.exe 6 30->42         started        signatures14 process15 file16 48 C:\Users\user\AppData\Local\Temp\DB1, SQLite 32->48 dropped 66 Tries to harvest and steal browser information (history, passwords, etc) 32->66 44 conhost.exe 32->44         started        46 conhost.exe 36->46         started        68 Modifies the context of a thread in another process (thread injection) 38->68 70 Maps a DLL or memory area into another process 38->70 72 Sample uses process hollowing technique 38->72 74 Hides threads from debuggers 40->74 signatures17 process18
Gathering data
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-06-05 13:43:05 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=olvs3rzq4nlu3szaju37z6zvz6i3vtmaq7lafdluhsyjslehijca._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
006bb451c7207fa375e67a1684a97136a46beea1ff74e193eb4bbf6665a0ec9b
GuLoader
51f4e86285f8cb8a14a0d456beed9f15882e4ec7813bc24ff4c20a2389d1ccd0
GuLoader
52f217cdebe83217297bedc352fac2e475e293e6cad52a1335b3641eeb8c412b
GuLoader
5962532a97c0efd1227d42aeddeacf09c0f8c8787e476e650d71ceed4ed52d97
GuLoader
7a8db6a831edc72a1811ed42f3f0ce72ccb93455284b65dbc374a4298eee52f2
GuLoader
7acf7bc635e79515685759c8b4673d69245730d1e77dac430e093d7869e06e11
GuLoader
97e006c5ca29100601289b632e22049f5d8f955c008073fea9791b13cd10849c
GuLoader
9e65fc7212483f5f57cb203104d6bc366802604dbea60067bc73dec2d2f61bcc
GuLoader
c3252ba30dcb997aba042c568bee0ccbca5a818248dae999161a5a26ef7f301f
GuLoader
e15e175581173bb19a26a05cb7cf4ca26ce681a1d328e84341267a24be882f65
GuLoader
+ 5'839 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-8tjr6e7kq6/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

img 9ecabd43cd9cc1b588ca4f4535ad31718fc4101e7019ddff91ca5b5710d29a3d

GuLoader

Executable exe 72eb2dc730e3574dcb204d37fcfb35cf91bacd8087d6028d743cb0992c874244

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/378987/
  
Dropped by
MD5 232e603c21fd5b58c9fb5691d909a452
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 9ecabd43cd9cc1b588ca4f4535ad31718fc4101e7019ddff91ca5b5710d29a3d
Cape
Cape
https://www.capesandbox.com/analysis/6707/

Comments