MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 81f7c328aef1d0b652a4e7b4157b34f2b462ace5c2f2483350b1a5e156ce8adb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 81f7c328aef1d0b652a4e7b4157b34f2b462ace5c2f2483350b1a5e156ce8adb
SHA3-384 hash: 2b6c8aee4215578eee0388ade9c4c49a977ff5ce66c0b2d33b41a9c38fbf3a35a2eb088efbff878021803028b1a880e8
SHA1 hash: 669c81a1818af02dc03178c5a1cf02d637d43d56
MD5 hash: a0b1ccf2bb63d9226c91bff56564e0d2
humanhash: one-august-steak-juliet
File name:NICE.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:45'056 bytes
First seen:2020-10-08 05:29:26 UTC
Last seen:2020-10-08 07:17:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5bc0c0bbad22a8e0c850c5bf6a6271b5 (4 x GuLoader)
ssdeep 384:RvR8AbZgO5uLtIy57/+A0cyh1HvZDHQ3Q3ojMomMUdn9:tRLSO5uLtf/+APyh5Ckn
Threatray 2'271 similar samples on MalwareBazaar
TLSH 05136B07F580A076FEA987724E22DFA446A37C721C115F0737883F6E6F72B41A92525B
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: linux.avaserver.com
Sending IP: 95.217.137.242
From: 김병준 <bkim@hec-co.kr>
Reply-To: bkim@hec-co.kr
Subject: RFQ For Canada New Energy Plant Project
Attachment: Request For Quotation Details_Rev1.img (contains "NICE.exe")

GuLoader payload URL:
http://iykemorelinkrtyu.webredirect.org/uploud//5bab0b1d864615bab0b1d864b3/bin_IXmtFR30.bin

Intelligence

File Origin
# of uploads :
2
# of downloads :
172
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69070/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Result
Threat name:
FormBook GuLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/484935
Signature
Antivirus detection for URL or domain
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Potential malicious icon found
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 294909 Sample: NICE.exe Startdate: 08/10/2020 Architecture: WINDOWS Score: 100 33 www.42nova.com 2->33 35 42nova.com 2->35 45 Multi AV Scanner detection for domain / URL 2->45 47 Potential malicious icon found 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 8 other signatures 2->51 11 NICE.exe 2->11         started        signatures3 process4 signatures5 61 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 11->61 63 Tries to detect Any.run 11->63 65 Tries to detect virtualization through RDTSC time measurements 11->65 67 2 other signatures 11->67 14 NICE.exe 6 11->14         started        process6 dnsIp7 43 iykemorelinkrtyu.webredirect.org 103.125.191.94, 49716, 80 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN Viet Nam 14->43 69 Modifies the context of a thread in another process (thread injection) 14->69 71 Tries to detect Any.run 14->71 73 Maps a DLL or memory area into another process 14->73 75 3 other signatures 14->75 18 explorer.exe 14->18 injected signatures8 process9 dnsIp10 37 lyftpart.com 50.22.154.126, 49749, 80 SOFTLAYERUS United States 18->37 39 www.hilldavies.com 217.160.230.202, 49748, 80 ONEANDONE-ASBrauerstrasse48DE Germany 18->39 41 www.lyftpart.com 18->41 53 System process connects to network (likely due to code injection or exploit) 18->53 22 control.exe 18->22         started        25 autofmt.exe 18->25         started        27 autoconv.exe 18->27         started        signatures11 process12 signatures13 55 Modifies the context of a thread in another process (thread injection) 22->55 57 Maps a DLL or memory area into another process 22->57 59 Tries to detect virtualization through RDTSC time measurements 22->59 29 cmd.exe 1 22->29         started        process14 process15 31 conhost.exe 29->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/81f7c328aef1d0b652a4e7b4157b34f2b462ace5c2f2483350b1a5e156ce8adb/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2020-10-08 05:17:58 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qh34gkfo6hilmuve462bk6zu6k2gflhfylzeqm2qwgs6cvworlnq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
0074b4e19d6ad55ab6573d7522ead0f75a84b866611cc8133d08b5800e3bb32a
GuLoader
1289d591984de5325235e57987ab171b4ae3f9d55baf3476087677805922427f
GuLoader
14eb827b600c3f7ccf2af766d0fec868e6b0467eba9264f19b75427f95ef7cfa
GuLoader
3b6460bb14fdce88ab8ec80e5cbfecbb15bbc09de1e75c51246d1c670925b340
GuLoader
50eb8b54c87303301b6614c07195bef8121ab2f99685ced448b915f9e6f0fc15
GuLoader
784d9c10d108190a9e18b3d5756404a3e63fd728abd648225cbbf80c4f78fe76
GuLoader
967ea109385c23aa2c0a841295eb33b1f25d25b836903cbabe33a9c1fb2ee267
GuLoader
99d07b0682434235023da65216efdcc624d66c436e80745614315d4c68e8735f
GuLoader
d29fa6e0fa83a4332afc39315b3961e609bddc91c1b60590c82b009d20cd9f3a
GuLoader
ecbbdea89347df30a9575353b8886499a88d30f5606f60c922c62e4a56637c74
GuLoader
+ 2'261 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201008-t7h6sj9bfa/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
81f7c328aef1d0b652a4e7b4157b34f2b462ace5c2f2483350b1a5e156ce8adb
MD5 hash:
a0b1ccf2bb63d9226c91bff56564e0d2
SHA1 hash:
669c81a1818af02dc03178c5a1cf02d637d43d56
Link:
https://www.unpac.me/results/98746cf2-e5a1-4ac1-be9a-f071ec8f338d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/81f7c328aef1d0b652a4e7b4157b34f2b462ace5c2f2483350b1a5e156ce8adb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

img 13414abae2c54f860bee2c117b988e949806e2fb24dea30e1ccb67e1cd3bafe0

GuLoader

Executable exe 81f7c328aef1d0b652a4e7b4157b34f2b462ace5c2f2483350b1a5e156ce8adb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/668437/
  
Dropped by
MD5 43ab29ddb2a089c9bbab7bd0e50c1223
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 13414abae2c54f860bee2c117b988e949806e2fb24dea30e1ccb67e1cd3bafe0
Cape
Cape
https://www.capesandbox.com/analysis/69070/

Comments