MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85a40f3f59fb797494adf184b0dbee2b3d8089e9686b9f484c5242c5a75085a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 5


Intelligence 5 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 85a40f3f59fb797494adf184b0dbee2b3d8089e9686b9f484c5242c5a75085a9
SHA3-384 hash: e1a7a9d1ed235931725a566f65db1950c08988894de426ac81604896e37a729fcfd534630bf4f1421e5ae7ecdd3b4fc9
SHA1 hash: b7cfaf7b72961a3d638bed26b9573c8d0dffd864
MD5 hash: 1e6648567a03b5f9ae815edffbeead8c
humanhash: sad-twelve-arkansas-fanta
File name:rechnung.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:192'967 bytes
First seen:2020-06-04 10:47:38 UTC
Last seen:2020-06-08 07:25:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fe26ae3d09a83c3e2d239605e1853745 (1 x GuLoader)
ssdeep 3072:GPXk3uRKVjPzT1zeoT2lQBV+UdE+rECWp7hKdM:GPU3uR4PZegBV+UdvrEFp7hKdM
Threatray 1'373 similar samples on MalwareBazaar
TLSH 4F14AE03AD4883EBE05407B83D1A5E793AD9993D090A1BDFA2361D5BAD3DA035DCB11F
Reporter abuse_ch
Tags:DEU exe geo GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: mxout01.bytecamp.net
Sending IP: 212.204.60.217
From: DKV EURO SERVICE GmbH + Co. KG <rusty@sumaco.ae>
Subject: AW: AW: Zahlungsbeleg und Auftragsbestätigung 04-06-20 Rechnung_20-613129926-001
Attachment: rechnung.zip (contains "rechnung.exe")

GuLoader payload URL:
http://156.96.118.179/slxslx-2RAW_gwKBF147.bin

Intelligence

File Origin
# of uploads :
2
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Azorult
Create hunting rule
Link:
https://www.capesandbox.com/analysis/6515/
Detection(s):
MiscreantPunch.SingleXOR.EXE.197.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Virus.Floxif
Create hunting rule
Status:
Malicious
First seen:
2020-06-04 07:55:11 UTC
AV detection:
45 of 48 (93.75%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qwsa6p2z7n4xjffn6gclbw7ofm6ybcpjnbvz6scmkjbmlj2qqwuq._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
guloader
Create hunting rule
Similar samples:
0eec4264bcd0ca71859ad816d8f7fdc7145135fb0e6e52223fb200dc4bc97a59
GuLoader
308c96557c6be5d4519ba4bac38c23e611c7b61683cfc1063a6009e216c24f5e
GuLoader
44b9088e8bd1c22c10d5ea77951a3dda0884a8564187a8f98a4472120f374c91
GuLoader
4f197c8bdfa89d2a0d041b47dabf307cba6c3deb639134357e0bfee3bf28645f
GuLoader
81337231c53d0927b5aaff1792d71b5f5270e268e1909267ad3bd79951e72642
GuLoader
9e17a9c1b1d0db2c9cd8fdf42c475712f8faaa68cb08bbff910a2927b910d88f
GuLoader
c8dda41b34e9b16da333bfa30653a6f46be67c657158ecfd2c0463903b01e54d
GuLoader
d60af7a38f3b01fa2c7926959f9c65b91d9dac09da0e6e0431237ffd58b2e8f0
GuLoader
e0a8759e82a06477519693f900800964f3a1e2c55e4022f959062c9d3a06bd76
GuLoader
f09dc0b3275b4c1e3a616911805011c2871af1407599493dc980b6987cb313eb
GuLoader
+ 1'363 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence upx
Link:
https://tria.ge/reports/201109-5ntx29hajj/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Loads dropped DLL
Modifies AppInit DLL entries
UPX packed file
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Malware_Floxif_mpsvc_dll
Create hunting rule
Author:Florian Roth
Description:Malware - Floxif
Reference:Internal Research
Rule name:MAL_Floxif_Generic
Create hunting rule
Author:Florian Roth
Description:Detects Floxif Malware
Reference:Internal Research
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:SUSP_Microsoft_Copyright_String_Anomaly_2
Create hunting rule
Author:Florian Roth
Description:Detects Floxif Malware
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip 6ee8bf6666e32639d6027f22fd7aa517987c3066aaa1f5cd4b96019e8ff2ba30

GuLoader

Executable exe 85a40f3f59fb797494adf184b0dbee2b3d8089e9686b9f484c5242c5a75085a9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/374619/
  
Dropped by
MD5 daa303f321add1620764bb2be90a957c
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 6ee8bf6666e32639d6027f22fd7aa517987c3066aaa1f5cd4b96019e8ff2ba30
Cape
Cape
https://www.capesandbox.com/analysis/6515/

Comments