MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0b159a704857b45d6336160191150963d48aa792341b9a38834fb99881c8d31. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f0b159a704857b45d6336160191150963d48aa792341b9a38834fb99881c8d31
SHA3-384 hash: 7a5e6949d52b789b723ac6d88ef6930297d7b297596140e337ad2148cfc0896fbbba05490f438e67063cb43b438bdc2c
SHA1 hash: 713c8115c2141772c2368f9c5afca9d27c7ac17d
MD5 hash: 36ef7011d14bf40997d50ad4620fe4f4
humanhash: ack-colorado-thirteen-winner
File name:AES_AUS No. 0008_pdf.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:94'208 bytes
First seen:2020-10-26 14:02:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 02d03956d3718b494e226bdaa75e0b1f (10 x GuLoader)
ssdeep 768:LfyO3pkFMGLS79mijtK4mFLBwZO6mdjQF1nBe3FHRAJ3x/DkO:9pgM0S77js9TYOlQ1sFHRK
Threatray 598 similar samples on MalwareBazaar
TLSH 2693E813FC5C5893D86447B4AE1B4FAC0A4FFE1864C62BDB11A21D9F7B3C6094D6E229
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: xwx0.320.xoron.ml
Sending IP: 159.89.137.248
From: Business Development Dept.- EVEREST PHIL <purchase@aesolutions.com.au>
Subject: REVISED PO - AES_AUS No. 0008
Attachment: AES_AUS No. 0008_pdf.rar (contains "AES_AUS No. 0008_pdf.exe")

GuLoader payload URL:
https://redesuperpops.com.br/trends/Kalied_Rewcur216.bin

Intelligence

File Origin
# of uploads :
1
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/79098/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Result
Threat name:
FormBook GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/511919
Signature
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f0b159a704857b45d6336160191150963d48aa792341b9a38834fb99881c8d31/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2020-10-26 05:40:41 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6cyvtjyeqv5ulvrtmfqbsekqsy6urktzena3ti4igt5ztca4ruyq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
092e73bea3484930380103be58ee944d620e754cfbd579e68c1fee773a478b7e
GuLoader
44da34c94fa3c1fbc77e4d18a745b1059db381ad4e6a025a90504b2bdfa73f18
GuLoader
692b099cb8eb863730179f28207ebf5579edd501a43c09fa3b9e177191840d27
GuLoader
7d37b86ad0cb4b99038a10d6f95febfd7d1e096ab7ba28c6c02ada2b128873bf
GuLoader
8549ca1816c1f9745ca7e17daa3ff79633b38dbf71f0833056c7610a5b58fdb8
GuLoader
8a91203698a5589c1787d9fb31dbbc30ab3229a6aee56992f9186a4d4fc4ae2c
GuLoader
9d4abcc57a7136faf706c30c8d644f1ac7b38a2adcff37072a4a7c356d2b8d57
GuLoader
bdde3710c5191125b83c55f75ccad13dcc2b210c8d1100929ba8c68a13e4fbe6
GuLoader
d53bb8e4561477133b4510eda133bf0740c854c587f1e3d5a676c9db33e9f818
GuLoader
d7a99f24befa69ac2bae23e028ef9342211ed018495b34b92b9e89448532584a
GuLoader
+ 588 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201026-w8z3as16t2/
Behaviour
Suspicious use of SetWindowsHookEx
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

rar cba222ed0c40791ea4fec30a7438e2a893a95ebff1485fa97118e91f856d0c68

GuLoader

Executable exe f0b159a704857b45d6336160191150963d48aa792341b9a38834fb99881c8d31

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/750731/
  
Dropped by
MD5 8fc636ad209352934b19874d6622601d
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 cba222ed0c40791ea4fec30a7438e2a893a95ebff1485fa97118e91f856d0c68
Cape
Cape
https://www.capesandbox.com/analysis/79098/

Comments