MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed384b7f5efea452a5c23b8c68dc7ed07178b4f6f4162b04448118ee2b5ef684. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ed384b7f5efea452a5c23b8c68dc7ed07178b4f6f4162b04448118ee2b5ef684
SHA3-384 hash: 50690b181459d54d90507b2fb136fcbef0fb1ac27a4b33a33f4100424c043848719a745d5e67010d20cb972153523c6f
SHA1 hash: 9e236ed52518e1a957d6649b8a4c115c9cc8971d
MD5 hash: 1cd212ef2cc038492735ee828fcebe25
humanhash: quiet-skylark-massachusetts-don
File name:Payment Invoice#5638.scr
Download: download sample
Signature GuLoader
Create hunting rule
File size:172'032 bytes
First seen:2020-10-13 14:28:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2a8bc4adc0e02db157aa2c55cad9da51 (1 x GuLoader)
ssdeep 1536:AgOt+p1u1/Z801i+g6YCMFJbxtGS1645ZCD8ChZxnmZym:Aywx801hmfTE8ChZxnmgm
Threatray 1'267 similar samples on MalwareBazaar
TLSH 8BF32DA1D354DCBDF84B52FBC43698E61897AF2988F4092E545D712169B338B13FAC0B
Reporter abuse_ch
Tags:GuLoader scr


Avatar
abuse_ch
GuLoader payload URL:
https://mscni.org/hk_qfIvrO18.bin

Intelligence

File Origin
# of uploads :
1
# of downloads :
167
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Guloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/70492/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.34757163.16636.5401.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Launching cmd.exe command interpreter
Using the Windows Management Instrumentation requests
Setting a keyboard event handler
Unauthorized injection to a system process
Result
Threat name:
AveMaria GuLoader
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/489853
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Contains functionality to hide a thread from the debugger
Contains functionality to hide user accounts
Creates a thread in another existing process (thread injection)
Executable has a suspicious name (potential lure to open the executable)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for submitted file
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected Generic Dropper
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ed384b7f5efea452a5c23b8c68dc7ed07178b4f6f4162b04448118ee2b5ef684/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2020-10-13 01:32:43 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5u4ew72672sffjochoggrxd62byxrnhw6qlcwbceqemo4k2662ca._file
Verdict:
suspicious
Similar samples:
0512c8c515096734e33d52d39d554b683466183859b968f3c3fc525be6acd69e
GuLoader
1df1f90da9a07dfe25f0368fc24830fd1513e938c590e9ca6cfbe422dcfedc38
GuLoader
23166e8971c2cfa2ea35aa10e15694a9757ab7584b2ddd648e424d8488e9fe98
GuLoader
37991980ed910dd02716c5afeaba0042ae5c68f1b37acd037df9aaa6c181c4c6
GuLoader
9da0df6eb709cee7468a850c0b59914ca84eeace25bea74ed6d393e0e5e84737
GuLoader
c9f5530468fde1d7a198bc7dd5a43c390b234f10649dcdbdc25890c0563d4691
GuLoader
c9fa8e9c44e5fb934569771f39093e4ba7b66dcb2204b51fea382f0065d6c240
GuLoader
e187821f898ec00b0e007b899046c51fe7f950ae2e44ebf60bcfe83dd1e04530
GuLoader
f17d48c8d179de191e519fa908648b977c09f91803b898d8e4fada52e423a8df
GuLoader
febbf2119882b88d952379874d73e2c02e3816d49ded935fff81d4d24726d87c
GuLoader
+ 1'257 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
rat infostealer family:warzonerat
Link:
https://tria.ge/reports/201013-x3kb3gb8ts/
Behaviour
Modifies system certificate store
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
ServiceHost packer
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
ed384b7f5efea452a5c23b8c68dc7ed07178b4f6f4162b04448118ee2b5ef684
MD5 hash:
1cd212ef2cc038492735ee828fcebe25
SHA1 hash:
9e236ed52518e1a957d6649b8a4c115c9cc8971d
Link:
https://www.unpac.me/results/1662fbfb-cc77-43dd-86d0-53589b924d10/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ed384b7f5efea452a5c23b8c68dc7ed07178b4f6f4162b04448118ee2b5ef684

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe ed384b7f5efea452a5c23b8c68dc7ed07178b4f6f4162b04448118ee2b5ef684

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/685759/
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70492/

Comments