MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1ffd3c13b7bd7f498e8b718d46509a14bf571c5783d4281adcfafe13291e1fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f1ffd3c13b7bd7f498e8b718d46509a14bf571c5783d4281adcfafe13291e1fd
SHA3-384 hash: c7431eb1045262452810010c10ab6df57cb87cd9ed7043e681ceb6eb7d8d53f26be2a2425ef9c1fe1c5af02634ea02db
SHA1 hash: 4bca8ab86ea5efd9ee04035d91c6db524d3c1d7b
MD5 hash: 042d652ca56b0729238362144375138f
humanhash: magazine-single-mirror-moon
File name:AWB# 9284730932.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:90'112 bytes
First seen:2020-11-05 10:23:09 UTC
Last seen:2020-11-05 11:52:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f68756dc2833873b5ac05b0e38772df2 (6 x GuLoader)
ssdeep 768:mn2dLYvkVR0BY9hoH0wMzJHPobQHK/CRT58RarQFh2dLy:mn2dLYMYS9hoHYJHcQhRt8Dh2dLy
Threatray 3'066 similar samples on MalwareBazaar
TLSH 5093AE31BB3DC12BC1600E3558B2661A2F02BD63B9342B3BD7DD48491E3DA562E5B379
Reporter abuse_ch
Tags:DHL exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

From: "DHL Express"<eawb@iddhl.com>
Subject: EAWB Notification
Attachment: AWB 9284730932.rar (contains "AWB# 9284730932.exe")

GuLoader payload URL:
https://millenium-rj.com/ozil/floow_HQaIKx54.bin

Intelligence

File Origin
# of uploads :
2
# of downloads :
208
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/83223/
Detection(s):
SecuriteInfo.com.generic.ml.23924.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Result
Threat name:
FormBook GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/521327
Signature
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 309772 Sample: AWB# 9284730932.exe Startdate: 05/11/2020 Architecture: WINDOWS Score: 100 31 www.coloradobestservice.com 2->31 33 coloradobestservice.com 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 10 other signatures 2->47 11 AWB# 9284730932.exe 1 2->11         started        signatures3 process4 signatures5 57 Tries to detect Any.run 11->57 59 Hides threads from debuggers 11->59 14 AWB# 9284730932.exe 6 11->14         started        process6 dnsIp7 39 millenium-rj.com 192.185.216.180, 443, 49726 UNIFIEDLAYER-AS-1US United States 14->39 61 Modifies the context of a thread in another process (thread injection) 14->61 63 Tries to detect Any.run 14->63 65 Maps a DLL or memory area into another process 14->65 67 3 other signatures 14->67 18 explorer.exe 14->18 injected signatures8 process9 dnsIp10 35 www.progressionglobaleducation.com 91.195.240.94, 49748, 80 SEDO-ASDE Germany 18->35 37 www.dcdhoom.com 154.215.127.8, 49745, 80 POWERLINE-AS-APPOWERLINEDATACENTERHK Seychelles 18->37 49 System process connects to network (likely due to code injection or exploit) 18->49 22 msiexec.exe 18->22         started        25 autochk.exe 18->25         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 27 cmd.exe 1 22->27         started        process14 process15 29 conhost.exe 27->29         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f1ffd3c13b7bd7f498e8b718d46509a14bf571c5783d4281adcfafe13291e1fd/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2020-11-05 09:46:49 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6h75hqj3ppl7jghiw4mnizijuff7k4ofpa6ufannz6x6cmur4h6q._file
Verdict:
unknown
Similar samples:
1ea315e9248f2e83decd8b9a73335ce654e787c42083c6e21566cd9bc2f93eed
GuLoader
26d95099636e212fccb35c4865a6aaee393079698b6c3a6f0a07ef2960a845b0
GuLoader
2e6f9c96b9332cdb7bafa068de6591e073bc8255d37f22f08a796f77f9d3d63f
GuLoader
4da47222e28694a7cada3ff481647d1d2cc1b9f085414069660964f951a0b78c
GuLoader
6a5303bb0ea9067e348cb7bee1db4740682b5a3e37822d09d9b80783f64a5569
GuLoader
77386776e40532cd9d96b17ddc16eb63cb3effb53858763f4e4f0c55b96158e0
GuLoader
923fb7b3ff414a712d72ebe1d904806a0ae7a3d026d1275553dfa8e6a10fcee7
GuLoader
a1817ff59a466c2c67ff443922da2ea3e4c67b8ed1a5e67c44a0fc4faa8956b9
GuLoader
cc8ef4be7deaea9ac5cb75ba74d1d5718a665e96d44983ba1f0d0ed4c9d33cc8
GuLoader
dd95ca4e9ebb20cd4d2e26adfded37285e4321ef95bcee7dd0bbaf309eac8a38
GuLoader
+ 3'056 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201105-qlxh6v7mzj/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
f1ffd3c13b7bd7f498e8b718d46509a14bf571c5783d4281adcfafe13291e1fd
MD5 hash:
042d652ca56b0729238362144375138f
SHA1 hash:
4bca8ab86ea5efd9ee04035d91c6db524d3c1d7b
Link:
https://www.unpac.me/results/cbd01ad6-e9a1-417b-8c67-9a1c67b8bb6e/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

rar d557623ca60b42efbaaa8fc6ed3f829df9d0e1e05f33cfa5570b8ae3972a0ab3

GuLoader

Executable exe f1ffd3c13b7bd7f498e8b718d46509a14bf571c5783d4281adcfafe13291e1fd

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/750727/
  
Dropped by
MD5 0b61129d49ba2212c37b82287c868158
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 d557623ca60b42efbaaa8fc6ed3f829df9d0e1e05f33cfa5570b8ae3972a0ab3
Cape
Cape
https://www.capesandbox.com/analysis/83223/

Comments