MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0cd0d44e8eb5d76e7ebb79fd5633814ecd3aeb8251dff223b0be04c1963616d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f0cd0d44e8eb5d76e7ebb79fd5633814ecd3aeb8251dff223b0be04c1963616d
SHA3-384 hash: 62f399084968ea5528701e656a74494d40ce5ec776386f9c8ce320fa50e8d30f43c28206e64ea8df21a9e454bd3a70ce
SHA1 hash: 74a78bdaa51f50f9175950019958f7ba3cd604d9
MD5 hash: 7fc0364a71327a662bf435f49e9613e4
humanhash: helium-sad-social-vegan
File name:64900658_0rder_Receipt.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:45'056 bytes
First seen:2020-10-20 06:28:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3023fc666778a7f41172c32b402d1b26 (1 x GuLoader)
ssdeep 768:z+lSPct4xthnxNQpPofZnSI+CduO0UXdjPjzDDDDDDDDDD8:ClSPQSxYWnSZCdvdXDDDDDDDDDD8
Threatray 2'491 similar samples on MalwareBazaar
TLSH FB137C9F61705BB9CE5686BE0A32063C21DFF830C2559A1BE237191D0A39750E9FCF66
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: torfep04.bell.net
Sending IP: 184.150.200.209
From: Laurence Simard <itil@lipetsk-pivo.ru>
Subject: Your order has been delivered!
Attachment: 64900658_0rder_Receipt.iso (contains "64900658_0rder_Receipt.exe")

GuLoader payload URL:
https://trackit.gr/ven/octnew_WEvCwpWnO118.bin

Intelligence

File Origin
# of uploads :
1
# of downloads :
154
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/73250/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Threat name:
Nanocore GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/497097
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to hide a thread from the debugger
Detected Nanocore Rat
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 300699 Sample: 64900658_0rder_Receipt.exe Startdate: 20/10/2020 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus / Scanner detection for submitted sample 2->49 51 6 other signatures 2->51 7 64900658_0rder_Receipt.exe 2->7         started        10 filename1.exe 2->10         started        12 filename1.exe 2->12         started        process3 signatures4 53 Writes to foreign memory regions 7->53 55 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 7->55 57 Tries to detect Any.run 7->57 14 RegAsm.exe 1 20 7->14         started        19 RegAsm.exe 7->19         started        59 Hides threads from debuggers 10->59 21 RegAsm.exe 1 10->21         started        61 Antivirus detection for dropped file 12->61 63 Tries to detect virtualization through RDTSC time measurements 12->63 process5 dnsIp6 31 octnew.duckdns.org 185.165.153.15, 49768, 6700 DAVID_CRAIGGG Netherlands 14->31 33 trackit.gr 88.99.130.241, 443, 49765 HETZNER-ASDE Germany 14->33 27 C:\Users\user\subfolder1\filename1.exe, PE32 14->27 dropped 29 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 14->29 dropped 35 Tries to detect Any.run 14->35 37 Hides threads from debuggers 14->37 39 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->39 23 conhost.exe 14->23         started        41 Tries to detect virtualization through RDTSC time measurements 19->41 43 Contains functionality to hide a thread from the debugger 19->43 25 conhost.exe 21->25         started        file7 signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f0cd0d44e8eb5d76e7ebb79fd5633814ecd3aeb8251dff223b0be04c1963616d/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2020-10-19 20:50:32 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6dgq2rhi5noxnz7lw6p5kyzyctwnhlvyeuo76ir3bpqeygldmfwq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
08954829f50d1aade435fefd5e50e2aee86283ab378a54243892152eded51db8
GuLoader
1baac8b88ecc811192cf8c2a7c170153ad350646265225f0d4a0ac351a1f197a
GuLoader
2b68ba16b8a44890c23fba68bccc1ef620ff3f12fd0d0fc2f7ffab92fcbde46e
GuLoader
4f4ffd4acbf022b50208d546731446d3c5b16380a244dab0261ad0cad8ce02e0
GuLoader
56455fb98a91d0b0244bc347a1d32b0bd1d02a765e12d925d119564385410d71
GuLoader
8fc12c74c5af599fd99d302b2429d8c8a5d3a5d243d7941758fda223ee3cb7eb
GuLoader
96806ca7e35fc1840e35d756d2242c494fa734a81d76ceb8586fd10ef6548f39
GuLoader
b93f8ab520d94792e242a0c903ef2a8cce77a3a9f969e44749e4f2768333d96e
GuLoader
d7aef406cc623d210aa08b240098e0976b28d745685385b8aee5df41e78e5e4e
GuLoader
d7dda9d5e3557a57d63b4fe02c26f03f135e4810bfd2fbe9b44f5190384385ae
GuLoader
+ 2'481 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201020-3117syebbe/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
f0cd0d44e8eb5d76e7ebb79fd5633814ecd3aeb8251dff223b0be04c1963616d
MD5 hash:
7fc0364a71327a662bf435f49e9613e4
SHA1 hash:
74a78bdaa51f50f9175950019958f7ba3cd604d9
Link:
https://www.unpac.me/results/b40c24b7-c53e-4f7f-91c5-c18af1a9abc8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f0cd0d44e8eb5d76e7ebb79fd5633814ecd3aeb8251dff223b0be04c1963616d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

iso 2436eabe4d6730ffd6767a0d9c41cab8a50e2ef764332aa0de2b5487e98e8828

GuLoader

Executable exe f0cd0d44e8eb5d76e7ebb79fd5633814ecd3aeb8251dff223b0be04c1963616d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/721901/
  
Dropped by
MD5 e8b1bca2179005dd236cc97cb2036f52
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/73250/
  
Dropped by
SHA256 2436eabe4d6730ffd6767a0d9c41cab8a50e2ef764332aa0de2b5487e98e8828

Comments