MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a8c03f50ff8217b8e4fe7e650360a566003875d0a943af2f2b3b895908872e4a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a8c03f50ff8217b8e4fe7e650360a566003875d0a943af2f2b3b895908872e4a
SHA3-384 hash: 7b58a7a9fe2c6670114ff44f4a8370baeab99570023eaabaed27b80668f0e1b2824b330166f3bc6727eaa05f6e6983cc
SHA1 hash: 374fc9ab749ad634e284eb03c2c164a1d5fb7260
MD5 hash: dddfc5bf7599ae2aacd87640404f585d
humanhash: stream-october-winter-comet
File name:rechnung.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:156'103 bytes
First seen:2020-06-02 16:01:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6e52c12e62f8234e4c7d20aad0bc5957 (1 x GuLoader)
ssdeep 3072:JUG5Hyec1gqqK2lQBV+UdE+rECWp7hKNM:JNhfdQBV+UdvrEFp7hKG
Threatray 280 similar samples on MalwareBazaar
TLSH 94E38C036A0883E8D52445703F1B6B692BD4BC3C458F174BA6422E47FF7DB62798DA1E
Reporter abuse_ch
Tags:DEU exe geo GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: CEN-YCO-Rutalia-003.hispaweb.net
Sending IP: 109.70.131.174
From: Dr. Chris Jones <drchris-jones@outlook.com>
Reply-To: chris-jones@joneschris.tech
Subject: AW: AW: Zahlungsbeleg und Auftragsbestätigung 2-06-20 Rechnung_20-613129926-001
Attachment: Rechnung.zip (contains "rechnung.exe")

GuLoader payload URL:
http://156.96.118.179/slxslx-2RAW_gwKBF147.bin

Intelligence

File Origin
# of uploads :
1
# of downloads :
68
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/6161/
Detection(s):
MiscreantPunch.SingleXOR.EXE.197.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Virus.Floxif
Create hunting rule
Status:
Malicious
First seen:
2020-06-02 16:36:04 UTC
AV detection:
29 of 31 (93.55%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vdad6uh7qil3rzh6pzsqgyffmyadq5oqvfb26lzlhoevscehfzfa._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
2c27feaca7c04d48cd54730df7e4c89dc200d18658fd78c6a3388a94f15dca9b
GuLoader
3480ae4f4ba35f9f2c70d89ad705ff9b64aab46de7e7df8942b1425d67d0eebc
GuLoader
67e4afe6e9701d2970eb3b62da0676750ba3e861801414f2036f3ec039b2e56b
GuLoader
6f2d3e1ae0ac968d44b8b5c0248734c6162a069904661dd9a19000342597d5ad
GuLoader
79afc9b39ba7fe7dd6ed282d39eb915bb47271d552177f62c6606b99901f9cd2
GuLoader
849af25a67d831b8e5d90cc6e4b51014a3a4d9f474f7363865cbd98c4dc0ea5a
GuLoader
d6ba040d10d1fb8e0f6a8b1d5378be566f6d3816bf1a00fb3e0bb6eed29346b2
GuLoader
df6e5a970596d544e6f644924cafadda5a596e2337621ea98829bd36801fa02c
GuLoader
e35d5297a515ddf23ac671f6110bb8f01a590e13d45dbeae5e96e0be414236b5
GuLoader
e4402badda18b6a4c832fcb22697a4847bb438350502975e764257027dc7f670
GuLoader
+ 270 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence upx
Link:
https://tria.ge/reports/201109-bhtr819ebj/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Loads dropped DLL
UPX packed file
Modifies AppInit DLL entries
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Malware_Floxif_mpsvc_dll
Create hunting rule
Author:Florian Roth
Description:Malware - Floxif
Reference:Internal Research
Rule name:MAL_Floxif_Generic
Create hunting rule
Author:Florian Roth
Description:Detects Floxif Malware
Reference:Internal Research
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:SUSP_Microsoft_Copyright_String_Anomaly_2
Create hunting rule
Author:Florian Roth
Description:Detects Floxif Malware
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip d305f9854610158f54bc75d261ebd46ce02207c02fbe0b66df04765c7282b842

GuLoader

Executable exe a8c03f50ff8217b8e4fe7e650360a566003875d0a943af2f2b3b895908872e4a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/374619/
  
Dropped by
MD5 d6c4fa690fadc34aa16433ec1abe8ab7
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/6161/
  
Dropped by
SHA256 d305f9854610158f54bc75d261ebd46ce02207c02fbe0b66df04765c7282b842

Comments