MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9433390a8374d47e62017b03c8d949af363e1f1aaa5247a2e320fc611c42f138. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	9433390a8374d47e62017b03c8d949af363e1f1aaa5247a2e320fc611c42f138
SHA3-384 hash:	73e229797a3e20933a8e3aff2e76b274ae0b7a359a40836c7e320d08385c9269c552bd47e4da0c23d2fb46ce03ee01c9
SHA1 hash:	6f5d834b312bad0742efacf2dc4e1484a9541b40
MD5 hash:	152a5851db0c8cf4e0d70ebdc17ee40f
humanhash:	sixteen-vermont-bacon-sixteen
File name:	PO 15682.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	135'168 bytes
First seen:	2021-02-26 06:21:11 UTC
Last seen:	2021-02-26 08:21:42 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	cc882d101998a701353b40b0cd8c341a (6 x GuLoader, 1 x Formbook)
ssdeep	3072:EwVUPv+6PElyWqBW5g6ohmCzWawAMi2Vj5XQqwV:EwVUPw7YmCyawAMi2Vj9QqwV
Threatray	3'231 similar samples on MalwareBazaar
TLSH	B5D3F531A3B4A97BF52E5730BADA86B81764AF1799404D4310B2360E3F34A056732DFB
Reporter	cocaman
Tags:	exe GuLoader

Intelligence

File Origin

# of uploads :

# of downloads :

170

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PO 15682.exe

Verdict:

Suspicious activity

Analysis date:

2021-02-26 06:24:10 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e120f646-d676-46cf-88e8-b2838cd714de

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Guloader

Link:

https://www.capesandbox.com/analysis/119320/

Detection(s):

SecuriteInfo.com.Variant.Razy.847321.29320.31509.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

FormBook GuLoader

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/619367

Signature

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Hides threads from debuggers

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Yara detected Generic Dropper

Yara detected GuLoader

Yara detected VB6 Downloader Generic

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9433390a8374d47e62017b03c8d949af363e1f1aaa5247a2e320fc611c42f138/

Threat name:

Win32.Trojan.Guloader

Status:

Malicious

First seen:

2021-02-25 22:35:46 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 48 (39.58%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=sqztscudotkh4yqbpmb4rwkjv43d4hy2vjjepixded6gchcc6e4a._file

Verdict:

malicious

Label(s):

formbook

GuLoader

1a859f18a203b53f7c893f9e3d3cbfeb6bd9c0d479f1ddd5626ba4c9eb34e670

GuLoader

56368dfb68347ec22ba4d8d1d16e1acc9dbf37acf30803ef92f75f27f0a6a6a5

GuLoader

5d5d64a87a5d888443e8d7a25046922fa4a39fe5952a45635dd66321e616bb14

GuLoader

6a0c21a5a37e307becd9ed9bdee0f3f41e3d1a61847a6e9ae272ec891d4f7728

GuLoader

78f83f782f8d2077dd50d65badb4ed36ec24c029241287f76560e60733b61c29

GuLoader

8c5a90a4c4470d05fff7757920aa0a8bf56edab04f4eb926ba789652f1bfc74c

GuLoader

8cbda95915fcb9696e4e221cdb72f9dc9175af27e348f05bede3f988aee9070c

GuLoader

92737036f323b1c72064c1e8038a942266435048a3ce4847f7e5b29558376c1c

GuLoader

d8e0edf1cca3b6edefcd830e233131c593997b5bd4454891dc1b70614862f718

GuLoader

+ 3'221 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/210226-vp2d4jsc8s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Deletes itself

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.lyceumgroupbooks.com/blk/

Unpacked files

SH256 hash:

49b04162c412105ab0857de16713724cbf3234a0b6ba51f3a5286312633f20c3

MD5 hash:

1f1b425190b2fb0396ad2d538b1060ba

SHA1 hash:

413f98641d46fdcabfcaf64f29495667de6282ea

Link:

https://www.unpac.me/results/714503ad-4e3f-4e88-b00c-ec27d16e691d/

SH256 hash:

9433390a8374d47e62017b03c8d949af363e1f1aaa5247a2e320fc611c42f138

MD5 hash:

152a5851db0c8cf4e0d70ebdc17ee40f

SHA1 hash:

6f5d834b312bad0742efacf2dc4e1484a9541b40

Link:

https://www.unpac.me/results/714503ad-4e3f-4e88-b00c-ec27d16e691d/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

rar bc6b1b5ae30207710574e2fc475111020061d25f8e39781a3f4cd3902f7c6b3e

GuLoader

exe 9433390a8374d47e62017b03c8d949af363e1f1aaa5247a2e320fc611c42f138

(this sample)

Delivery method

Other

Dropped by

SHA256 bc6b1b5ae30207710574e2fc475111020061d25f8e39781a3f4cd3902f7c6b3e

Cape

https://www.capesandbox.com/analysis/119320/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample