MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2b7389c9dd63fb1b147537c52572bbc09bec5c080474000e113b31aa249388a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d2b7389c9dd63fb1b147537c52572bbc09bec5c080474000e113b31aa249388a
SHA3-384 hash: 14a3c28c6e5186844aa5191bb6e2d2ddcd9fce0f67d0f0e8317ba7f70875daecbc9613b5975601bf4069f01784ea0690
SHA1 hash: ed1ce8ba6a765c7ac221d545efa389afea44cd82
MD5 hash: 0fefb456de0c44dbe347c9af0017e49c
humanhash: alpha-football-double-alanine
File name:Me jpg jpgjpg jpg.scr
Download: download sample
Signature GuLoader
Create hunting rule
File size:90'112 bytes
First seen:2020-08-19 12:22:41 UTC
Last seen:2020-08-19 12:45:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c8149470224a75976a8a826a88225a14 (13 x GuLoader, 1 x FormBook, 1 x Loki)
ssdeep 1536:S9pXDl5+FcrY1Wahm8n7QYGZ8ScEDVXj/AaJ:SLlgFcrY1ZWltAg
Threatray 15 similar samples on MalwareBazaar
TLSH 44937E53B1C4A6FAF7ECCA711B16AFE540EFAC30E892C90324C979952E76E45C51132B
Reporter abuse_ch
Tags:GuLoader scr


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: slot0.ricksaezp.com
Sending IP: 104.168.173.112
From: info@ricksaezp.com
Reply-To: info@ricksaezp.com
Subject: ATTACHED FILE PRODUCTS NEEDED PLEASE
Attachment: Product_Me_Order_Pictures _pdf.zip (contains "Me jpg jpgjpg jpg.scr")

GuLoader payload URL:
https://onedrive.live.com/download?cid=5624EA93AB8BAD8E&resid=5624EA93AB8BAD8E%21138&authkey=ABWRmxpTafQw7Q8

Intelligence

File Origin
# of uploads :
2
# of downloads :
263
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/48496/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.34383263.2770.8427.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Creating a file in the %temp% directory
Creating a file
Creating a process from a recently created file
Searching for the window
Creating a process with a hidden window
Setting a single autorun event
Result
Threat name:
Ardamax AveMaria GuLoader
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/437913
Signature
Contains functionality to hide a thread from the debugger
Contains functionality to hide user accounts
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Drops PE files with a suspicious file extension
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Hides user accounts
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Increases the number of concurrent connection per server for Internet Explorer
Installs a global get message hook
Installs a global keyboard hook
Modifies the prolog of user mode functions (user mode inline hooks)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect Any.run
Tries to steal Mail credentials (via file access)
Yara detected Ardamax
Yara detected AveMaria stealer
Yara detected Generic Dropper
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 271446 Sample: Me jpg jpgjpg jpg.scr Startdate: 20/08/2020 Architecture: WINDOWS Score: 100 76 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->76 78 Yara detected GuLoader 2->78 80 Yara detected Ardamax 2->80 82 9 other signatures 2->82 8 Me jpg jpgjpg jpg.exe 1 2 2->8         started        11 wscript.exe 2->11         started        13 wscript.exe 2->13         started        15 4 other processes 2->15 process3 signatures4 102 Creates autostart registry keys with suspicious values (likely registry only malware) 8->102 104 Creates multiple autostart registry keys 8->104 106 Tries to detect Any.run 8->106 108 Hides threads from debuggers 8->108 17 Me jpg jpgjpg jpg.exe 12 8->17         started        22 Purchase Order.scr 2 11->22         started        24 Purchase Order.scr 13->24         started        process5 dnsIp6 68 landzro365groupe.com 192.64.118.122, 443, 49742, 49743 NAMECHEAP-NETUS United States 17->68 44 C:\Users\user\AppData\...\Purchase Order.scr, PE32 17->44 dropped 46 C:\Users\user\AppData\...\Purchase Order.vbs, ASCII 17->46 dropped 48 C:\Users\user\AppData\Local\...\designs.exe, PE32+ 17->48 dropped 84 Tries to detect Any.run 17->84 86 Hides threads from debuggers 17->86 26 Purchase Order.scr 2 17->26         started        29 designs.exe 14 17->29         started        32 Purchase Order.scr 8 22->32         started        35 Purchase Order.scr 24->35         started        file7 signatures8 process9 dnsIp10 110 Tries to detect Any.run 26->110 112 Hides threads from debuggers 26->112 37 Purchase Order.scr 8 12 26->37         started        52 C:\ProgramData\QQOFCC\TSH.exe, PE32+ 29->52 dropped 54 C:\ProgramData\QQOFCC\TSH.02, PE32+ 29->54 dropped 56 C:\ProgramData\QQOFCC\TSH.01, PE32+ 29->56 dropped 42 TSH.exe 29->42         started        58 192.168.2.1 unknown unknown 32->58 60 onedrive.live.com 32->60 62 awz9ga.db.files.1drv.com 32->62 64 onedrive.live.com 35->64 66 awz9ga.db.files.1drv.com 35->66 file11 signatures12 process13 dnsIp14 70 198.12.84.39, 49746, 5200 AS-COLOCROSSINGUS United States 37->70 72 onedrive.live.com 37->72 74 awz9ga.db.files.1drv.com 37->74 50 C:\Program Files\Microsoft DN1\sqlmap.dll, PE32+ 37->50 dropped 88 Hides user accounts 37->88 90 Tries to steal Mail credentials (via file access) 37->90 92 Tries to detect Any.run 37->92 100 3 other signatures 37->100 94 Creates multiple autostart registry keys 42->94 96 Installs a global get message hook 42->96 98 Installs a global keyboard hook 42->98 file15 signatures16
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d2b7389c9dd63fb1b147537c52572bbc09bec5c080474000e113b31aa249388a/
Threat name:
Win32.Infostealer.PonyStealer
Create hunting rule
Status:
Malicious
First seen:
2020-08-18 14:32:33 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2k3trhe52y73dmkhkn6fevzlxqe35roaqbduaahbcozrvisjhcfa._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
45310ab9b43a84346d6c41c5286fab15c4921920461aa2c58ecf375d6070d4ef
GuLoader
6a07e270c189e9059526fc2570c7e4039f1140115e2f8544bba2b6f5923ac2ce
GuLoader
726156ccca0ba0077df20db0e438db482c7197d69453b890332ed69a9e509352
GuLoader
775680d359c5c5490062e223fd9a18e7136657b18cfc349bf1d5f02ac91c8d2c
GuLoader
7c3b056caf85497f39a72bcdde137abc70b81612496a358a8627fd4994f84203
GuLoader
9bebd6b8400a02ec36958c8cf06d3abc659b462d482fca3df8a3a64e42b3e234
GuLoader
c2fad0ca69171eabf05cff3020af18e45b34558b660e5197bdb4c0c072c9cdde
GuLoader
d48bd7c50cc69b4f73766563fde6a1444b64a725acb7b988e75bdc54b945d383
GuLoader
fd70366a0abed417301e2a312927e5697e8ded01a50c830b408978fb61ff9241
GuLoader
ffe68860d3d4320a2152bb2f3a636eb0f484f9f81a14b112c5f349b7c3d79f76
GuLoader
+ 5 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/200819-4q43njfzsj/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in Program Files directory
Drops file in System32 directory
Modifies service
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in System32 directory
Modifies service
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
JavaScript code in executable
Modifies WinLogon
Adds Run key to start application
JavaScript code in executable
Modifies WinLogon
Loads dropped DLL
Reads user/profile data of web browsers
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Sets DLL path for service in the registry
Executes dropped EXE
Sets DLL path for service in the registry
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/d2b7389c9dd63fb1b147537c52572bbc09bec5c080474000e113b31aa249388a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip 2816b4cb7c5d8b87d1d56e855af0a2dba02782b7e6ac375a0ef41e1226147156

GuLoader

Executable exe d2b7389c9dd63fb1b147537c52572bbc09bec5c080474000e113b31aa249388a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/436055/
  
Dropped by
MD5 a95e94aa91e2c6cddbbbc018572ee46b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/48496/
  
Dropped by
SHA256 2816b4cb7c5d8b87d1d56e855af0a2dba02782b7e6ac375a0ef41e1226147156

Comments