MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d6d6bd58488eb5f37fdba905ac0cb83e0cdb648ff2531cff16a76f2b2cbe5e84. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d6d6bd58488eb5f37fdba905ac0cb83e0cdb648ff2531cff16a76f2b2cbe5e84
SHA3-384 hash: 49606e0d26e93628f468259c221af18a76cdf6f86ee670135281e021ea6e9b2106d2b9a7597514d5cf240b950f716046
SHA1 hash: 7dd217e148061023ae75986fa4c24146c8ed6f7d
MD5 hash: 94c98e7686ce0a56270cbd4e8b7b750e
humanhash: ink-cup-low-rugby
File name:po-0049205.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:572'418 bytes
First seen:2020-04-30 09:37:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 64ab6fd0cf28e70d3fb9a56a2dec328c (4 x RemcosRAT, 2 x GuLoader)
ssdeep 12288:mPIhK2hqLgn3k6nDcqr7cwz8/0UTXOMOdSP:k6KnLgnxnDcq3u/3eC
Threatray 894 similar samples on MalwareBazaar
TLSH 72C48F23B2E14937D13B1A7C9C1B97A8AD3A7E113D28E8467BF42E4C4F396807539197
Reporter abuse_ch
Tags:exe geo GuLoader JPN nVpn RAT


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: smtp97.iad3a.emailsrvr.com
Sending IP: 173.203.187.97
From: 東邦液化ガス株式会社 <yamauchi-jyunko@tohogas.co.jp>
Subject: 見積もり依頼
Attachment: po-0049205.zip (contains "po-0049205.exe")

GuLoader dropping unknown RAT.

RAT C2:
185.244.30.81:42017

Hosted at nvpn:

% Information related to '185.244.30.0 - 185.244.30.255'

% Abuse contact for '185.244.30.0 - 185.244.30.255' is 'abuse@FOS-VPN.org'

inetnum: 185.244.30.0 - 185.244.30.255
netname: Freedom_Of_Speech_Foundation_Hungary
remarks: Budapest, Hungary
country: HU
org: ORG-FOSF3-RIPE
admin-c: FOSF1-RIPE
tech-c: FOSF1-RIPE
status: ASSIGNED PA
mnt-by: FOS-VPN-MNT
created: 2019-10-29T14:10:27Z
last-modified: 2020-04-06T19:58:39Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2020-04-30 03:52:27 UTC
File Type:
PE (Exe)
Extracted files:
40
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=23ll2wcir227g763vec2ydfyhygnwzep6jjrz7ywu5xswlf6l2ca._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1620114c000809b11104adbadb3df7ac989d9c7bc5e7da5acb0ffc9c5cb05c14
GuLoader
34f712cf924d76de4f93de3ddc9a0bb9a55b97bf64f2e36c7c0ae49ede694dfb
GuLoader
62115059096fc430f5e8b4cfe6884444fbb2b0733760a7f4a9856791f1151ba9
GuLoader
76b79ad15a0d32493a1b45c4e254ea349ef56a1da3d541d55240b1e620278c72
GuLoader
9160a75fe7bd27c3cb8141039d4c7383162b199454dfa285dd7d11f9fcfe52b1
GuLoader
ac5f9e2cef8603c2b588194055654468562c121c21ff39b8356f23ef9fb1c2c9
GuLoader
ba07e07a2c279246901b613a26ed95dc37bce9e0aa1ba17d5e812a8e84bda164
GuLoader
ce53e7d6bf4497672eb6798ad63488ae41f3943601b76d390761006b56f3befe
GuLoader
d9498f5a8b798490a85fa6878b5c7ac624b75259390ff4504adb52a11b3ea258
GuLoader
d9e6d184148b47fd32eb6810a21ea8ee0b04d2cb5315d4a4cfbf12fe86ac67ab
GuLoader
+ 884 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip b4c3356e7c18d31ecf7e7e48b50a902810dba13ce5db47998cbca3b0cc1238ad

GuLoader

Executable exe d6d6bd58488eb5f37fdba905ac0cb83e0cdb648ff2531cff16a76f2b2cbe5e84

(this sample)

  
Dropped by
MD5 2c735795babbd52e1916746e944131d3
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 b4c3356e7c18d31ecf7e7e48b50a902810dba13ce5db47998cbca3b0cc1238ad

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryA
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceA
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::FindFirstFileA
version.dll::GetFileVersionInfoSizeA
version.dll::GetFileVersionInfoA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::FindWindowA
user32.dll::PeekMessageA
user32.dll::PeekMessageW
user32.dll::CreateWindowExA

Comments