MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e78fc612cad822b8532351787c4da091dd4ddbfc499d3563050b21c6ba5c0fef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e78fc612cad822b8532351787c4da091dd4ddbfc499d3563050b21c6ba5c0fef
SHA3-384 hash: 9da0dbf4ac5e68acc508cccbbe3a3cad28712bb8e33e2bdb173a0a8e56a32bfbfeb073041ed47da2fb6976f750735eb8
SHA1 hash: c6fd1bc94909a2f57e8240a7a40bf9bf65d6f10b
MD5 hash: 5bda1ebae689d2504fe87bc4ca6357ad
humanhash: don-happy-double-violet
File name:09b357c74df6ea185dd18011048acbe1.exe
Download: download sample
File size:844'288 bytes
First seen:2020-03-30 11:05:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c00b6ba7dbbc6abee9ace3a65a49ba24 (6 x Renamer, 1 x Worm.Ramnit)
ssdeep 12288:+wCBtLC+EptUpQ9SeSChq3YvxFBSSRMT8PTp4ehozEN888888888888W8888888J:ONzCtUpQ9WWPBSSRMTEpfNF
Threatray 7 similar samples on MalwareBazaar
TLSH 3C055A1AB2D7143BC03706BD492792645C3B7D202A96585A5EFCBF4C0F392A33D36E96
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Payload dropped by GuLoader from the following URL:
https://drive.google.com/uc?export=download&id=1FaWdtEnLukKRehx0PTsIaw7JwSrOjIEo

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence

File information

The table below shows additional information about this malware sample such as delivery method and external references.

bb0d37189879b31c4f160335085224efbf4ab18493d18016f0a4ab4f5d7f6b2c

Executable exe e78fc612cad822b8532351787c4da091dd4ddbfc499d3563050b21c6ba5c0fef

(this sample)

  
Dropped by
MD5 09b357c74df6ea185dd18011048acbe1
  
Dropped by
MD5 03e20887970f8c5586245155b3fdc846
  
Dropped by
GuLoader
  
Dropped by
SHA256 bb0d37189879b31c4f160335085224efbf4ab18493d18016f0a4ab4f5d7f6b2c
  
Dropped by
SHA256 d40a28bafd17cb23e4feceb8ea4ad5d4454a8600221d266866690cd6582665be
  
URLhaus
https://urlhaus.abuse.ch/url/332147/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
MULTIMEDIA_APICan Play Multimediagdi32.dll::StretchDIBits
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteW
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
kernel32.dll::LoadLibraryExW
kernel32.dll::LoadLibraryW
kernel32.dll::GetDriveTypeW
kernel32.dll::GetSystemInfo
kernel32.dll::GetStartupInfoA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileW
kernel32.dll::DeleteFileW
kernel32.dll::MoveFileW
kernel32.dll::GetFileAttributesW
kernel32.dll::FindFirstFileW
version.dll::GetFileVersionInfoSizeW
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegConnectRegistryW
advapi32.dll::RegCreateKeyExW
advapi32.dll::RegDeleteKeyW
advapi32.dll::RegLoadKeyW
advapi32.dll::RegOpenKeyExW
advapi32.dll::RegQueryInfoKeyW
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::FindWindowExW
user32.dll::FindWindowW
user32.dll::PeekMessageA
user32.dll::PeekMessageW

Comments