MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 baac016255a128a1209211bba2a47979f3392f12c41d5805469f899eba6de47b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 3


Intelligence 3 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: baac016255a128a1209211bba2a47979f3392f12c41d5805469f899eba6de47b
SHA3-384 hash: aadcc282dd30728cd254242e7f2b407f4d13bc332f9b75350956f25f759df9b90a88e734ee003f5272a563a9a82e298f
SHA1 hash: 7c31639c494245bf1bde4109eb897b1445e2743f
MD5 hash: 413309ec95370868a40a96ab1c581121
humanhash: arizona-california-kitten-massachusetts
File name:INQ Request Order Quotation 908767655434467735567898765678987.scr
Download: download sample
Signature GuLoader
Create hunting rule
File size:110'592 bytes
First seen:2020-05-26 12:48:50 UTC
Last seen:2020-05-26 14:21:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c3ab1ac0c452a3bdbfed5d8d55818a02 (1 x GuLoader)
ssdeep 768:RuMayUEgtEfyWj7dZc/w9ikY/zVgR6oRh8x6NJpjiJaNXrIETKCdmfKEy:cM9CtA/dZ9MkYB0ROkVvNrIETKo
Threatray 4'340 similar samples on MalwareBazaar
TLSH 42B3F6177ADDBCB9DC359FB11A31C9A05C22FC3829148B8B3D09B75E17766CE186039A
Reporter abuse_ch
Tags:FormBook GuLoader NetWire nVpn RAT scr


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: biz0.planete-import.net
Sending IP: 185.255.130.188
From: Levent SARICA <contacts@planete-import.net>
Subject: Attn: Inquiry and Request New Order HHGBAOI/ TT#
Attachment: INQ Request Order Quotation 908767655434467735567898765678987.rar (contains "INQ Request Order Quotation 908767655434467735567898765678987.scr")

GuLoader payload URL:
http://naturepack.cc/files/bin_ArPodh112.bin

NetWire RAT payload URL:
http://naturepack.cc/files/RTXN.exe

NetWire RAT C2:
185.244.29.175:7070

Hosted on nVpn:

% Information related to '185.244.29.0 - 185.244.29.255'

% Abuse contact for '185.244.29.0 - 185.244.29.255' is 'abuse@gerber-edv.net'

inetnum: 185.244.29.0 - 185.244.29.255
netname: GERBER-NETWORK
descr: Wonsan, Kangwon-do
descr: Choson Minjujuui Inmin Konghwaguk
country: KP
admin-c: GN5022-RIPE
tech-c: GN5022-RIPE
org: ORG-GN148-RIPE
status: SUB-ALLOCATED PA
mnt-by: GERBER-MNT
created: 2018-01-31T19:41:57Z
last-modified: 2020-04-06T22:16:40Z
source: RIPE

Intelligence

File Origin
# of uploads :
2
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/4966/
Detection(s):
SecuriteInfo.com.Mal.FareitVB-AE.15887.26858.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-26 13:36:33 UTC
AV detection:
31 of 48 (64.58%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
guloader
Create hunting rule
Similar samples:
0b1dbd3162f501371ca4d99f39e0ad1631ab1d9698bf19bdd45163319fc0310b
GuLoader
5540d3256d4e24a41945ff8d40078deb2d5531242639d718b122f3044d52420d
GuLoader
5b3cc30719578d96ef64e9341e00eedb05512ee9692b2eff924aabc54e7a16e4
GuLoader
76b1a195279e01bf41f28576a23946416694d263a0d8b0db91af9d57e14ef4bf
GuLoader
7a27c2b1dde4a2dafa2a6d8e984337a891d4f7c1a15a80c5524be3bb5c0ccde6
GuLoader
884209a719966f7d043193d01453eb707f176dab896173c493097f09940ded43
GuLoader
98af60250a9e0cedaa66f04fe39c412bd0007855255547df68f5da46686c9ced
GuLoader
b5f9a952c4009061a21147103fc6d762c60e070fc588cab92846fc1c29679715
GuLoader
ece26faace5bcf7afeba359279d17aeb7f99f739fce454e964c88ebad9745bdb
GuLoader
ffd24bd48e21a03c0b7fc884a12bd22e88e8d56735d810fccb64e6e6ca27768d
GuLoader
+ 4'330 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-tzcr1ngvnx/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Malicious_BAT_Strings
Create hunting rule
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:MAL_unspecified_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects unspecified malware sample
Reference:Internal Research
Rule name:netwire
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect netwire in memory
Reference:internal research
Rule name:Suspicious_BAT_Strings
Create hunting rule
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

f0a1fd045e6450736307128328921431

GuLoader

Executable exe baac016255a128a1209211bba2a47979f3392f12c41d5805469f899eba6de47b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/364770/
  
Dropped by
MD5 f0a1fd045e6450736307128328921431
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/4966/

Comments