MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cdfe3c9dc4aa1e9378e37badc6993e814acb1ddccc2920dc7fc4fa226d4058e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cdfe3c9dc4aa1e9378e37badc6993e814acb1ddccc2920dc7fc4fa226d4058e2
SHA3-384 hash: 41138bd6a6cb3d67f8f9725e9a97862a42de18c16cbf6309d96c30ac27ef2611f2096ee867acd81937cdccf61bf64911
SHA1 hash: b575330797e51408908596a7acec704f8daef1e7
MD5 hash: 49584b6178e152bb8c0b4bdec5f2dd64
humanhash: kilo-pasta-happy-white
File name:Rechnung.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:110'592 bytes
First seen:2020-06-03 10:11:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 09064844c413e8d8670f4d7f7033d60d (1 x GuLoader)
ssdeep 1536:AcsSPfxV40iIt1WVyLpkgrKHxLdGKc+o0FDHdZ1gIx4ROWNG8/4q4jUf:AEPXi6oVaKVdhjFD9zOtGq3
TLSH EEB37C03EC8D8643E14887BC3D134D783A0DAD0D0D655BEFA075BD9E2E76A422CAB51E
Reporter abuse_ch
Tags:AZORult exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: mailout-afc2.mailout.artfiles.de
Sending IP: 212.72.164.218
From: DKV Immobilien OHG <info@campingshop.de>
Subject: AW: AW: Auftragsbestätigung und die Rechnung vom 03.06.2020
Attachment: Rechnung.zip (contains "Rechnung.exe")

GuLoader payload URL:
http://156.96.118.179/emda_lLXMYMxZm189.bin

AZORult C2:
http://emda-2.duckdns.org/index.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/6244/
Detection(s):
Win.Dropper.NetWire-7996875-0
Create hunting rule

Win.Malware.Razy-7997182-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-06-03 10:36:44 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
22 of 30 (73.33%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zx7dzhoevipjg6hdpow4ngj6qffmwho4zqusbxd7yt5ce3kaldra._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
guloader
Create hunting rule
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-r91nqwgj26/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip 920192fcbc77e065c4db4b78d916a094d26a329b17fb94aa6ddf4aed366bf01f

GuLoader

Executable exe cdfe3c9dc4aa1e9378e37badc6993e814acb1ddccc2920dc7fc4fa226d4058e2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/374273/
  
Dropped by
MD5 33e965a5383693d4a124070826a4117b
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 920192fcbc77e065c4db4b78d916a094d26a329b17fb94aa6ddf4aed366bf01f
Cape
Cape
https://www.capesandbox.com/analysis/6244/

Comments