MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b40cbfc5b305924116c41f9f96add7e45e3f023c5bdefddbdcc9889e2443834e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b40cbfc5b305924116c41f9f96add7e45e3f023c5bdefddbdcc9889e2443834e
SHA3-384 hash: c1411a2c820d4fc8469646d48a68e0b643703f96aa6e436c62566b63187797bb29e80696016314ea46d722ba50e4cd26
SHA1 hash: 650b387325ca1cfe5f7fde296ab3abec88fd4796
MD5 hash: 594906ac618036c814735443d7ae264d
humanhash: oregon-harry-yankee-oven
File name:RFQ MOLD6312701 2K Modification.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:69'632 bytes
First seen:2020-11-12 14:40:17 UTC
Last seen:2024-07-24 20:33:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d6030cf8147a673a435cb1240ac66c00 (2 x GuLoader)
ssdeep 768:i+Y2RddQf2Ja+Mn0i9mfoC/XCZI2rOsv:G2Rddaia+c0PwXX
Threatray 3'781 similar samples on MalwareBazaar
TLSH FA637D7165818072D2EAF2B86D7BC6EC0267EF2019E58A4B34243B3DE972F011DB4767
Reporter FORMALITYDE
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
3
# of downloads :
213
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.generic.ml.12384.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Result
Gathering data
Result
Threat name:
FormBook GuLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/533340
Signature
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Potential malicious icon found
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 315774 Sample: RFQ MOLD6312701 2K Modifica... Startdate: 13/11/2020 Architecture: WINDOWS Score: 100 29 www.gcsisgreen.com 2->29 31 gcsisgreen.com 2->31 37 Multi AV Scanner detection for domain / URL 2->37 39 Potential malicious icon found 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 12 other signatures 2->43 11 RFQ MOLD6312701 2K Modification.exe 2->11         started        signatures3 process4 signatures5 53 Tries to detect Any.run 11->53 55 Hides threads from debuggers 11->55 14 RFQ MOLD6312701 2K Modification.exe 6 11->14         started        process6 dnsIp7 35 redesuperpops.com.br 192.185.216.181, 443, 49742 UNIFIEDLAYER-AS-1US United States 14->35 57 Modifies the context of a thread in another process (thread injection) 14->57 59 Tries to detect Any.run 14->59 61 Maps a DLL or memory area into another process 14->61 63 3 other signatures 14->63 18 explorer.exe 14->18 injected signatures8 process9 dnsIp10 33 www.bbwtok.com 185.104.28.238, 49750, 80 AS-ZXCSNL Netherlands 18->33 45 System process connects to network (likely due to code injection or exploit) 18->45 22 ipconfig.exe 18->22         started        signatures11 process12 signatures13 47 Modifies the context of a thread in another process (thread injection) 22->47 49 Maps a DLL or memory area into another process 22->49 51 Tries to detect virtualization through RDTSC time measurements 22->51 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b40cbfc5b305924116c41f9f96add7e45e3f023c5bdefddbdcc9889e2443834e/
Threat name:
Win32.Ransomware.VBCryptor
Create hunting rule
Status:
Malicious
First seen:
2020-11-12 14:31:05 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wqgl7rntawjecfwed6pznlox4rpd6ar4lppp3w64zgej4jcdqnha._file
Verdict:
suspicious
Similar samples:
0282b710d24b3d098017e3231c93e1b46bf8586a6e0cc83ec76f2a1d710c6813
GuLoader
060500558c754696c0056ec073344071c058d198ea0dba06632f93edb1276624
GuLoader
07bea1f0f5a11fdada688ba215ee670c1a77d2f05b0e1125edaee37e66a0819c
GuLoader
0a9055100b10ba145a65334aa2b316bc30722cd75539c6dcca168da6263040a6
GuLoader
36c2790871534ef40e28ff56b3a7c51b38479f57a878ddef882590b8c9dd24d1
GuLoader
3f2c710a97bb42579ee2f9956437ff160a68bd787439fbc025ab3d6b46076d34
GuLoader
448379f1a0a59fa0a84180351e48559c9ed7ea6875cdd525782b714a77a2fff9
GuLoader
4acadb0925e9ed9375a93307e5fbee58a8bbefe02a97463bf45e45752a7cfe42
GuLoader
a891606327e5e625ddd626a1c63958e6575c2293bcfef7388fb803cef653f931
GuLoader
aba1c467b0950b6f077dae1b48a7c73f8efa7a882b695bcf4849627a53d8c0be
GuLoader
+ 3'771 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201112-s4ta2vq6se/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
b40cbfc5b305924116c41f9f96add7e45e3f023c5bdefddbdcc9889e2443834e
MD5 hash:
594906ac618036c814735443d7ae264d
SHA1 hash:
650b387325ca1cfe5f7fde296ab3abec88fd4796
Link:
https://www.unpac.me/results/f8da2579-6d05-4dcd-b7f5-272c9e77dd9b/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe b40cbfc5b305924116c41f9f96add7e45e3f023c5bdefddbdcc9889e2443834e

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments