MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ffc0cc7f5b6bfb1e02d404b6d850e2fd72a778a1a2582fc061723f084cc73c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	9ffc0cc7f5b6bfb1e02d404b6d850e2fd72a778a1a2582fc061723f084cc73c2
SHA3-384 hash:	68b4a7942667463b95c1093e90c2ead1aaeae71ddfa67a8cb59c67ddb0a1beb2664a8e88b14eb38a3953350abf33b825
SHA1 hash:	26af211b56418ecbe094ef2c690389f9108f2494
MD5 hash:	440b260170c3a01f4124e0bf5d3c9959
humanhash:	uncle-avocado-failed-eight
File name:	Rechnung.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	94'208 bytes
First seen:	2020-06-02 10:23:19 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	82da4fe47d65d4db0d94680467e0652e (1 x GuLoader)
ssdeep	1536:FdFO8lLqkEItmBtrm8eLzwKQwBdVyXDf/vJvUc:8Itm+8gzwPa0X
Threatray	1'026 similar samples on MalwareBazaar
TLSH	F4931843BAD45501F1B28B706EBB86996F25BC1A4D439A4F354D398B3B30B52D86C32F
Reporter	abuse_ch
Tags:	AZORult exe GuLoader

abuse_ch

Malspam distributing GuLoader:

HELO: dd20228.kasserver.com
Sending IP: 85.13.140.105
From: info@hesse-immo-halle.de
Subject: Auftragsbestätigung und die Rechnung vom 02.06.2020
Attachment: Rechnung.zip (contains "Rechnung.exe")

GuLoader payload URL:
http://156.96.118.179/emda_lLXMYMxZm189.bin

AZORult C2:
http://emda-2.duckdns.org/index.php

Intelligence

File Origin

# of uploads :

1

# of downloads :

75

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Azorult

Link:

https://www.capesandbox.com/analysis/6035/

Detection(s):

Win.Malware.Guloader-7995204-0

Gathering data

Threat name:

Win32.Trojan.Vbkrypt

Status:

Malicious

First seen:

2020-06-02 10:40:52 UTC

AV detection:

27 of 48 (56.25%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=t76azr7vw273dybnibfw3biof7lsu54kdisyf7agc4r7bbgmopba._file

Verdict:

malicious

Label(s):

azorult

guloader

Similar samples:

0eec4264bcd0ca71859ad816d8f7fdc7145135fb0e6e52223fb200dc4bc97a59

308c96557c6be5d4519ba4bac38c23e611c7b61683cfc1063a6009e216c24f5e

44b9088e8bd1c22c10d5ea77951a3dda0884a8564187a8f98a4472120f374c91

4f197c8bdfa89d2a0d041b47dabf307cba6c3deb639134357e0bfee3bf28645f

81337231c53d0927b5aaff1792d71b5f5270e268e1909267ad3bd79951e72642

9e17a9c1b1d0db2c9cd8fdf42c475712f8faaa68cb08bbff910a2927b910d88f

c8dda41b34e9b16da333bfa30653a6f46be67c657158ecfd2c0463903b01e54d

d60af7a38f3b01fa2c7926959f9c65b91d9dac09da0e6e0431237ffd58b2e8f0

e0a8759e82a06477519693f900800964f3a1e2c55e4022f959062c9d3a06bd76

e9bcebb30731ce1c7ecca26eb2d6a717caf06824fd834775e571d4f684f9d279

+ 1'016 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-3pr1lwdkss/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip c01b857ff58b16a708cb81f51ef048e3888f0e14153982692f5d1a5425c790e2

exe 9ffc0cc7f5b6bfb1e02d404b6d850e2fd72a778a1a2582fc061723f084cc73c2

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/374273/

Dropped by

MD5 d91ba0ffc4ef250ccf0674d47b7cc3ed

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 c01b857ff58b16a708cb81f51ef048e3888f0e14153982692f5d1a5425c790e2

Cape

Cape

https://www.capesandbox.com/analysis/6035/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample