MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8b07584a493c32a6f045b8bfe1f7ce2a2e441035a7048e946aa6b26a6485c0d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b8b07584a493c32a6f045b8bfe1f7ce2a2e441035a7048e946aa6b26a6485c0d
SHA3-384 hash: ca26c3edafd1c462818829707cd8b990c88e1dfbb56bf97f2589cd63d482430377396cba32ef6cc6bebdb841555fd236
SHA1 hash: 881844503dee7d1797ce7736786dfec08f06100a
MD5 hash: 6008cd180e677be4846d5f8abfa6b983
humanhash: coffee-shade-mobile-california
File name:Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:86'016 bytes
First seen:2020-11-20 07:39:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0cb4f4ece3f5875b40d2bf4babdf78ef (3 x GuLoader)
ssdeep 768:Mteyg1/gcK/WS3zWfxPSCFEI80v0dEeMTGUdP2KohBS:+eysgcK/WS36fxP/gEjPyhA
Threatray 4'568 similar samples on MalwareBazaar
TLSH 16836C4379D9F521E11AB9B28661CEFC512ABF249FC2592328C87E1EFF33954744123A
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: host.perfectneeds.com
Sending IP: 72.10.32.108
From: thyssenkrupp Materials Australia Pty Ltd <mark.geyer@thyssenkrupp.com>
Reply-To: mark.geyer@thyssenkrupp.com
Subject: Purchase Order Updates / thyssenkrupp Materials Australia / 900-5400006911
Attachment: Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.rar (contains "Purchase Order Updates thyssenkrupp Materials Australia 900-5400006911.exe")

GuLoader payload URL:
https://pilatescollective.com/myguy/anyiba_ivtYLdKxk45.bin

Intelligence

File Origin
# of uploads :
1
# of downloads :
231
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Result
Gathering data
Result
Threat name:
FormBook GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/543976
Signature
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Executable has a suspicious name (potential lure to open the executable)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 321085 Sample: Purchase Order Updates  thy... Startdate: 20/11/2020 Architecture: WINDOWS Score: 100 29 www.remotereg.com 2->29 37 Malicious sample detected (through community Yara rule) 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 Yara detected GuLoader 2->41 43 10 other signatures 2->43 11 Purchase Order Updates  thyssenkrupp Materials Australia  900-5400006911.exe 1 2->11         started        signatures3 process4 signatures5 53 Tries to detect Any.run 11->53 55 Hides threads from debuggers 11->55 14 Purchase Order Updates  thyssenkrupp Materials Australia  900-5400006911.exe 6 11->14         started        process6 dnsIp7 35 pilatescollective.com 192.185.152.65, 443, 49748 UNIFIEDLAYER-AS-1US United States 14->35 57 Modifies the context of a thread in another process (thread injection) 14->57 59 Tries to detect Any.run 14->59 61 Maps a DLL or memory area into another process 14->61 63 3 other signatures 14->63 18 explorer.exe 14->18 injected signatures8 process9 dnsIp10 31 www.yourdfwliving.com 64.98.145.30, 49765, 80 TUCOWS-3CA Canada 18->31 33 www.goldkiili.com 18->33 45 System process connects to network (likely due to code injection or exploit) 18->45 22 cmstp.exe 18->22         started        signatures11 process12 signatures13 47 Modifies the context of a thread in another process (thread injection) 22->47 49 Maps a DLL or memory area into another process 22->49 51 Tries to detect virtualization through RDTSC time measurements 22->51 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b8b07584a493c32a6f045b8bfe1f7ce2a2e441035a7048e946aa6b26a6485c0d/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2020-11-20 07:39:08 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xcyhlbfespbsu3yelof74h344kroiqidljyer2kgvjvsnjsilqgq._file
Verdict:
suspicious
Similar samples:
1fccab885b5fbfef621f85299c5c698965a415f96e1966ef278d9268cb5d921a
GuLoader
28d5385136c2bb70ae04b2e7f2e7ddfb8d28307e6a9624040c9c10320cbe2a67
GuLoader
2cf01afb98a61b2af1b0458770d83d230d1c9ab3bfcb9f2b6a504395403b5165
GuLoader
3b162f2943b2ee8d6075b2f8f4cbd7832e11b50ecdfcb4a68cf18eb1c7614651
GuLoader
44350179d4fdd08fd02c02b733f80c82d54f5af31c8a2432de9cfb6b11ab4aa0
GuLoader
8bd042a9cba68f9d2fb8805abf49ffc0dc989e05df78876059f671fcfd759661
GuLoader
94a32b234e3acda70a26f78a56620a6aa7cf6dc21672766e38a75211e13108aa
GuLoader
99c1199a2f1bf8476f318ead8972af0dd77c13686039fb1a3f73b4f02789fd76
GuLoader
9c2e8914a4d3511eaa2f69e6ab33c9ff7d760d4ebfb761b38ed56eed8fe32ddb
GuLoader
ea4512d4bec0674059c55c5861d977bab515b6d28a543c74f32e1d78126625a4
GuLoader
+ 4'558 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201120-tj39yz9tzn/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
b8b07584a493c32a6f045b8bfe1f7ce2a2e441035a7048e946aa6b26a6485c0d
MD5 hash:
6008cd180e677be4846d5f8abfa6b983
SHA1 hash:
881844503dee7d1797ce7736786dfec08f06100a
Link:
https://www.unpac.me/results/4f2f0b74-e632-4771-9527-d5b4638fcd20/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

rar 85f8708fb7b3070c6d9317ffe81fc64a1fa192771bd053e0ab0bb9750cdc7346

GuLoader

Executable exe b8b07584a493c32a6f045b8bfe1f7ce2a2e441035a7048e946aa6b26a6485c0d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/828814/
  
Dropped by
MD5 530c3d7b278bb3070f58330de7413ed6
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 85f8708fb7b3070c6d9317ffe81fc64a1fa192771bd053e0ab0bb9750cdc7346

Comments