MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c2fad0ca69171eabf05cff3020af18e45b34558b660e5197bdb4c0c072c9cdde. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c2fad0ca69171eabf05cff3020af18e45b34558b660e5197bdb4c0c072c9cdde
SHA3-384 hash: 8095a890798db6eb45e47a81fd25f78ef880032bb4c87450fb42a25da84eb41ac3afb3d0d06678e344dcabe05975acae
SHA1 hash: 6ab8bf7b1fea5415146d98a047e67a0e4b5da62b
MD5 hash: 386e7e7739d1519fa7e51c6acd53c485
humanhash: utah-bacon-carbon-october
File name:Product Order pdf pdf pdf pdf.scr
Download: download sample
Signature GuLoader
Create hunting rule
File size:90'112 bytes
First seen:2020-08-19 12:21:31 UTC
Last seen:2020-08-19 12:45:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c8149470224a75976a8a826a88225a14 (13 x GuLoader, 1 x FormBook, 1 x Loki)
ssdeep 768:5gb95quqFR3R0yDeNxZXuM87DQziPeZpTECMSpj0O6Hg0x97+WP05zPNJ0vnbuc0:SwdFRmNuM8gzbZpQ7FOr3hcvbutr
Threatray 2'247 similar samples on MalwareBazaar
TLSH 55934B567B98C9F3F77446B85700EFB826EBAC641816C603A9E43C5F7EB5B028D54223
Reporter abuse_ch
Tags:GuLoader scr


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: slot0.ricksaezp.com
Sending IP: 104.168.173.112
From: info@ricksaezp.com
Reply-To: info@ricksaezp.com
Subject: ATTACHED FILE PRODUCTS NEEDED PLEASE
Attachment: Product_Me_Order_Pictures _pdf.zip (contains "Product Order pdf pdf pdf pdf.scr")

GuLoader payload URL:
https://onedrive.live.com/download?cid=6A7B40A2BC530C6C&resid=6A7B40A2BC530C6C%21112&authkey=AFUOV36rBYmLvXM

Intelligence

File Origin
# of uploads :
2
# of downloads :
260
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/48493/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.34383265.16171.11233.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Creating a file
Deleting a recently created file
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Result
Threat name:
FormBook GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/437910
Signature
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect Any.run
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 271445 Sample: Product Order pdf pdf pdf pdf.scr Startdate: 20/08/2020 Architecture: WINDOWS Score: 100 28 www.krepostta-sofia.com 2->28 40 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Yara detected GuLoader 2->44 46 7 other signatures 2->46 11 Product Order pdf pdf pdf pdf.exe 1 2->11         started        signatures3 process4 signatures5 54 Tries to detect Any.run 11->54 56 Hides threads from debuggers 11->56 14 Product Order pdf pdf pdf pdf.exe 6 11->14         started        process6 dnsIp7 34 landzro365groupe.com 192.64.118.122, 443, 49719, 49720 NAMECHEAP-NETUS United States 14->34 36 onedrive.live.com 14->36 38 gvdqcg.by.files.1drv.com 14->38 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Tries to detect Any.run 14->60 62 Maps a DLL or memory area into another process 14->62 64 3 other signatures 14->64 18 explorer.exe 14->18 injected signatures8 process9 dnsIp10 30 www.laacia.life 18->30 32 www.gweneldor.tech 18->32 21 msdt.exe 18->21         started        process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c2fad0ca69171eabf05cff3020af18e45b34558b660e5197bdb4c0c072c9cdde/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-08-18 14:32:21 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yl5nbstjc4pkx4c474ycblyy4rntivmlmyhfdf55wtama4wjzxpa._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
03d585ea89f4e62bc18d42d1fadad0b02faca6d68c831e79fb542e9efd183f7a
GuLoader
0ffe3a2c15dd0469d00b515316cdf09ae0e6b4dbbffe106297cf7f7d0d1b8197
GuLoader
26d95099636e212fccb35c4865a6aaee393079698b6c3a6f0a07ef2960a845b0
GuLoader
330cc7a94a8d40b4588313605d103e425e9a2530bf19e32b6cd61a786a6b8c04
GuLoader
5b8bcca6874eb87a0653adc3137d69a11c33c64a0087ad63646f39111ac2e62c
GuLoader
5ea463243b051351c219469515fb9b39d01c5c3c4f4698bd6164e36070622d35
GuLoader
77168234eb706333e4835666a00a8fd8e110959660c97e5c5528ed3a3d0f5081
GuLoader
e6bdca558fb485e6ac7295d20f868902f2b790bc147fb3ab1e3a6628280d40f3
GuLoader
f1c80232eaed26af259c818427b444f12057b9329804da8ded13ec9fd20d3413
GuLoader
f80c8e9d0e8ed0ffa6b7d8620a0eb890deb7c9dc84dca3198b3d2625bf5d1099
GuLoader
+ 2'237 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/200819-9c414m4tba/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.yofdyk.com/hha/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/c2fad0ca69171eabf05cff3020af18e45b34558b660e5197bdb4c0c072c9cdde

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip 2816b4cb7c5d8b87d1d56e855af0a2dba02782b7e6ac375a0ef41e1226147156

GuLoader

Executable exe c2fad0ca69171eabf05cff3020af18e45b34558b660e5197bdb4c0c072c9cdde

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/436056/
  
Dropped by
MD5 a95e94aa91e2c6cddbbbc018572ee46b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/48493/
  
Dropped by
SHA256 2816b4cb7c5d8b87d1d56e855af0a2dba02782b7e6ac375a0ef41e1226147156

Comments