MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e779b9901336cc05561d85c591f9efe628234c5f3ed2d072f00f8e370711072d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e779b9901336cc05561d85c591f9efe628234c5f3ed2d072f00f8e370711072d
SHA3-384 hash: 2fec16e65c46394d10cac03c8f6b32044d022091b96f7ed2ad167477077d1920d4298676b67a1f0fc0f615802d9cc97c
SHA1 hash: f18fa3f51bb05553d03089cdeacb17922ba87745
MD5 hash: 37012c0000dd63edb530bd6ac7ee8c2c
humanhash: hawaii-jig-green-lion
File name:Order MR-B. 04 03 21.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:106'496 bytes
First seen:2021-03-04 16:49:15 UTC
Last seen:2021-03-04 18:35:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 06b79053e2b8e3ae2f454e15c98ad6b1 (4 x GuLoader, 1 x RemcosRAT)
ssdeep 1536:z/8i9spjpREJAUDFZ1G/8xs9cC19sRGC:QpjsT6/r9Fg
Threatray 4'002 similar samples on MalwareBazaar
TLSH 92A3A0E8A010D648F4DB8931C471E6F72A17AC16D9B1368B6B9C7E3636701111BFE22F
Reporter cocaman
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
272
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Order MR-B. 04 03 21.exe
Verdict:
No threats detected
Analysis date:
2021-03-04 16:52:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/67eae987-d387-4a94-95e2-4e1343afd9eb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Guloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/122310/
Detection(s):
PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/628885
Signature
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 363415 Sample: Order MR-B. 04 03 21.exe Startdate: 04/03/2021 Architecture: WINDOWS Score: 100 29 www.lib-dl.com 2->29 35 Malicious sample detected (through community Yara rule) 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 Yara detected GuLoader 2->39 41 9 other signatures 2->41 11 Order MR-B. 04 03 21.exe 1 2->11         started        signatures3 process4 signatures5 51 Tries to detect Any.run 11->51 53 Hides threads from debuggers 11->53 14 Order MR-B. 04 03 21.exe 6 11->14         started        process6 dnsIp7 33 cdn.discordapp.com 162.159.134.233, 443, 49749 CLOUDFLARENETUS United States 14->33 55 Modifies the context of a thread in another process (thread injection) 14->55 57 Tries to detect Any.run 14->57 59 Maps a DLL or memory area into another process 14->59 61 3 other signatures 14->61 18 explorer.exe 14->18 injected signatures8 process9 dnsIp10 31 www.ajdqc.com 154.218.169.172, 49758, 80 VPSQUANUS Seychelles 18->31 43 System process connects to network (likely due to code injection or exploit) 18->43 22 chkdsk.exe 18->22         started        signatures11 process12 signatures13 45 Modifies the context of a thread in another process (thread injection) 22->45 47 Maps a DLL or memory area into another process 22->47 49 Tries to detect virtualization through RDTSC time measurements 22->49 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e779b9901336cc05561d85c591f9efe628234c5f3ed2d072f00f8e370711072d/
Threat name:
Win32.Backdoor.Andromeda
Create hunting rule
Status:
Malicious
First seen:
2021-03-04 14:43:32 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4543teatg3gakvq5qxczd6pp4yucgtc7h3jna4xqb6hdobyra4wq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0953e54968ca9407a172c0a35a00d8b30ec603770809bbd2901a070e1b83b7f8
GuLoader
21ba0bed0b05a2ce68496e73a5c103fb5b815ac2c77e997f46e5d09666c1c978
GuLoader
411e56b415d4c23a741958c3f1ada72b3e958c078d27c339678bb690b7a895c3
GuLoader
56368dfb68347ec22ba4d8d1d16e1acc9dbf37acf30803ef92f75f27f0a6a6a5
GuLoader
7c201535a28746b62adfa831cfccac096903f5b17ee83b8364fc890fa70a59fd
GuLoader
8c5a90a4c4470d05fff7757920aa0a8bf56edab04f4eb926ba789652f1bfc74c
GuLoader
8cbda95915fcb9696e4e221cdb72f9dc9175af27e348f05bede3f988aee9070c
GuLoader
8eb77ec70c44e86607e97ce926cdb4e0610a0199c348fa329dba50bef34d5fc1
GuLoader
9433390a8374d47e62017b03c8d949af363e1f1aaa5247a2e320fc611c42f138
GuLoader
f130539b2d2324246449abb99f5a0effb214feee629b092d48ac63aca14e2ba6
GuLoader
+ 3'992 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210304-34b2w94y6s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.lyceumgroupbooks.com/blk/
Unpacked files
SH256 hash:
49b04162c412105ab0857de16713724cbf3234a0b6ba51f3a5286312633f20c3
MD5 hash:
1f1b425190b2fb0396ad2d538b1060ba
SHA1 hash:
413f98641d46fdcabfcaf64f29495667de6282ea
Link:
https://www.unpac.me/results/6234c91b-2428-4691-9901-5bbb894b0d44/
SH256 hash:
e779b9901336cc05561d85c591f9efe628234c5f3ed2d072f00f8e370711072d
MD5 hash:
37012c0000dd63edb530bd6ac7ee8c2c
SHA1 hash:
f18fa3f51bb05553d03089cdeacb17922ba87745
Link:
https://www.unpac.me/results/6234c91b-2428-4691-9901-5bbb894b0d44/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/e779b9901336cc05561d85c591f9efe628234c5f3ed2d072f00f8e370711072d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

rar 5d02686e5616bc71ca45e8c18de8656a1015e80270a108850e2b39a1984a36e1

GuLoader

Executable exe e779b9901336cc05561d85c591f9efe628234c5f3ed2d072f00f8e370711072d

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 5d02686e5616bc71ca45e8c18de8656a1015e80270a108850e2b39a1984a36e1
Cape
Cape
https://www.capesandbox.com/analysis/122310/

Comments