MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a91203698a5589c1787d9fb31dbbc30ab3229a6aee56992f9186a4d4fc4ae2c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8a91203698a5589c1787d9fb31dbbc30ab3229a6aee56992f9186a4d4fc4ae2c
SHA3-384 hash: a8e9ec9976fdb58f12003d94d1376261d05b0d1755eebbbd4b967d8920ab8ad6ec668d52d593289a19b2134774341083
SHA1 hash: b38bb550f789d6f6885e48217dabb8c7d978ad3a
MD5 hash: 15807bfc25c58a4284ce81c19fc552f9
humanhash: white-steak-oranges-south
File name:OVERDUE INVOICE SWIFT - PAYMENT COPY.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:94'208 bytes
First seen:2020-10-26 14:53:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 02d03956d3718b494e226bdaa75e0b1f (10 x GuLoader)
ssdeep 1536:4tiIan+3uivL8VFVryTUnB8Fw6JO49tN4o:OmMuivL8z5yTiSFwD44o
Threatray 336 similar samples on MalwareBazaar
TLSH 02931823B97D8543DC6557F4AE0B8FB80A4FFE15A1822BCB21E60E9E773C5054C5E229
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: xwx0.319.xoron.ml
Sending IP: 104.131.71.115
From: Regger-fils Worldwide Co Ltd <capz@kunkun.ml>
Subject: Re;OVERDUE INVOICE SWIFT - PAYMENT COPY
Attachment: OVERDUE INVOICE SWIFT - PAYMENT COPY.rar (contains "OVERDUE INVOICE SWIFT - PAYMENT COPY.exe")

GuLoader payload URL:
https://millenium-rj.com//mapsz/Adc_iFoOuijC244.bin

Intelligence

File Origin
# of uploads :
1
# of downloads :
176
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/79237/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Result
Threat name:
FormBook GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/512114
Signature
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Executable has a suspicious name (potential lure to open the executable)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 305262 Sample: OVERDUE INVOICE SWIFT - PAY... Startdate: 26/10/2020 Architecture: WINDOWS Score: 100 29 www.adventuretimeporno.com 2->29 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 11 other signatures 2->45 11 OVERDUE INVOICE SWIFT - PAYMENT COPY.exe 1 2->11         started        signatures3 process4 signatures5 55 Tries to detect Any.run 11->55 57 Hides threads from debuggers 11->57 14 OVERDUE INVOICE SWIFT - PAYMENT COPY.exe 6 11->14         started        process6 dnsIp7 37 millenium-rj.com 192.185.216.180, 443, 49708 UNIFIEDLAYER-AS-1US United States 14->37 59 Modifies the context of a thread in another process (thread injection) 14->59 61 Tries to detect Any.run 14->61 63 Maps a DLL or memory area into another process 14->63 65 3 other signatures 14->65 18 explorer.exe 14->18 injected signatures8 process9 dnsIp10 31 www.vn80000.com 185.206.21.28, 49713, 80 QUICKPACKETUS United States 18->31 33 sauschwein.store 34.102.136.180, 49714, 80 GOOGLEUS United States 18->33 35 www.sauschwein.store 18->35 47 System process connects to network (likely due to code injection or exploit) 18->47 22 cmstp.exe 18->22         started        signatures11 process12 signatures13 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8a91203698a5589c1787d9fb31dbbc30ab3229a6aee56992f9186a4d4fc4ae2c/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2020-10-26 08:19:38 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rkisanuyuvmjyf4h3h5tdw54gcvtekngv3swtexzdbve2t6evywa._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
092e73bea3484930380103be58ee944d620e754cfbd579e68c1fee773a478b7e
GuLoader
1ffe8a0c22c433b676f40639e236a1c7cc58656be5150f1bd4dc7f24d807c761
GuLoader
44da34c94fa3c1fbc77e4d18a745b1059db381ad4e6a025a90504b2bdfa73f18
GuLoader
53891fe5d9e2ae2f182407272fd849ddab52f577adbd7b127a3b042cf560b714
GuLoader
7d37b86ad0cb4b99038a10d6f95febfd7d1e096ab7ba28c6c02ada2b128873bf
GuLoader
9d4abcc57a7136faf706c30c8d644f1ac7b38a2adcff37072a4a7c356d2b8d57
GuLoader
d53bb8e4561477133b4510eda133bf0740c854c587f1e3d5a676c9db33e9f818
GuLoader
d7a99f24befa69ac2bae23e028ef9342211ed018495b34b92b9e89448532584a
GuLoader
f0b159a704857b45d6336160191150963d48aa792341b9a38834fb99881c8d31
GuLoader
f12049965ebca86fd2d5b094273aaaa2bfd299f67856d168252f8b927f2f7bec
GuLoader
+ 326 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201026-tsnaj9dhk6/
Behaviour
Suspicious use of SetWindowsHookEx
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

rar 3b0d0b9477b7fa080da9f01bf52bffc0568b6f8e64f2e3989ab05f54227f120e

GuLoader

Executable exe 8a91203698a5589c1787d9fb31dbbc30ab3229a6aee56992f9186a4d4fc4ae2c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/750725/
  
Dropped by
MD5 a429d1187b37863b11948d3b307dfdc2
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 3b0d0b9477b7fa080da9f01bf52bffc0568b6f8e64f2e3989ab05f54227f120e
Cape
Cape
https://www.capesandbox.com/analysis/79237/

Comments