MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f8a0cc18117ef1d69eb60364662fed627b0722cc534e7c063261960b3806650c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f8a0cc18117ef1d69eb60364662fed627b0722cc534e7c063261960b3806650c
SHA3-384 hash: df8503fb8fa7dd5186f68a5fc1a2cd3139c3985e85b6553bacae7105124211a5d697342394ba0db68eed1f802bb841b2
SHA1 hash: 5b53a57c35c9bebaaebc98315a6748965a26a94a
MD5 hash: 64e2178a161b00321e6044afc4cb9c14
humanhash: shade-michigan-william-network
File name:Company_Profile & PO.bat
Download: download sample
Signature GuLoader
Create hunting rule
File size:45'056 bytes
First seen:2020-10-07 04:47:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ea8298d1676b5a1d9d47f51cca5a1b2f (3 x GuLoader)
ssdeep 768:yganshocr4FE8929Iq3bPaZQvR2MGyRN:5ansht4m892/3bPaZQvRGyL
Threatray 2'271 similar samples on MalwareBazaar
TLSH DC134C71B294E032F6D5C6B78E7287DC07667C3076428B8B69893F1E0DB0A4269D137B
Reporter abuse_ch
Tags:bat GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: biobase.de
Sending IP: 103.138.109.101
From: Daniel KABEYA <danielkabeya11@biobase.de>
Subject: Fwd: 2020 URGENT ORDER FOR SUPPLY, 100% TT IN ADVANCE (RFQ16-2020YT)
Attachment: Company_Profile_ _PO.pdf.ace (contains "Company_Profile & PO.bat")

GuLoader payload URL:
http://pulsaction.ml/bin_dFAfF250.bin

Intelligence

File Origin
# of uploads :
1
# of downloads :
149
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68742/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Result
Threat name:
FormBook GuLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/483597
Signature
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Potential malicious icon found
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 294243 Sample: Company_Profile & PO.bat Startdate: 07/10/2020 Architecture: WINDOWS Score: 100 29 www.duwegawe.com 2->29 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Potential malicious icon found 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 9 other signatures 2->45 11 Company_Profile & PO.exe 2->11         started        signatures3 process4 signatures5 55 Tries to detect Any.run 11->55 57 Hides threads from debuggers 11->57 14 Company_Profile & PO.exe 6 11->14         started        process6 dnsIp7 35 pulsaction.ml 148.163.69.168, 49722, 80 IOFLOODUS United States 14->35 37 192.168.2.1 unknown unknown 14->37 59 Modifies the context of a thread in another process (thread injection) 14->59 61 Tries to detect Any.run 14->61 63 Maps a DLL or memory area into another process 14->63 65 3 other signatures 14->65 18 explorer.exe 14->18 injected signatures8 process9 dnsIp10 31 officialangelanichelle.com 34.102.136.180, 49744, 80 GOOGLEUS United States 18->31 33 www.officialangelanichelle.com 18->33 47 System process connects to network (likely due to code injection or exploit) 18->47 22 raserver.exe 18->22         started        signatures11 process12 signatures13 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f8a0cc18117ef1d69eb60364662fed627b0722cc534e7c063261960b3806650c/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2020-10-07 02:58:09 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7cqmygarp3y5nhvwansgml7nmj5qoiwmknhhybrsmglawoagmuga._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
3628120506e72e0e92d1bbd4e6066a8297340d3f3aad66ced5bbb5881e4cff1e
GuLoader
3bce2cb71450f3924688d64791d70feaa8a49e25784d3d64451b3b1d2d25cdbf
GuLoader
4320e2bf2bc6115ae79a52777bdd9aef62db691a756640f9c7fa6e8372e46193
GuLoader
46ea1705549840fd45e067930511c81a0b8979698f98e4b170b9a93b27a6ed0a
GuLoader
541c870536f63dd8b9eb7406fec6031505c59f5c21c8a6f581e5b29349a4a92b
GuLoader
54d3e50350cb0e6e43cae0d762829aeab02a389142d24d5c8d71c413e1d77842
GuLoader
5f71fa1115c8ddafbe4215ab9b5a69966385bf38bbf033c9c06d6dbaa15abb41
GuLoader
a0a84ef378c8199a1b4511396d185b39d2dca86ffc608144f9d12f61d7d48cfd
GuLoader
a9e51c077a3cb18a4fbb72e9a01bdbbeac7f78da7eb0462a6c191f5956ae83a1
GuLoader
fff764b24ed5c9f8116b1028a39721c6c3098e0153ed368283d3f4ad4539247b
GuLoader
+ 2'261 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201007-rvwj7szfea/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
f8a0cc18117ef1d69eb60364662fed627b0722cc534e7c063261960b3806650c
MD5 hash:
64e2178a161b00321e6044afc4cb9c14
SHA1 hash:
5b53a57c35c9bebaaebc98315a6748965a26a94a
Link:
https://www.unpac.me/results/7f581f9e-86e4-41d2-8131-77351e411011/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/f8a0cc18117ef1d69eb60364662fed627b0722cc534e7c063261960b3806650c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

ace a5167dbb64d365e27e88491ca55a07546c3a2f1718c7a98736fb3e18274d54ae

GuLoader

Executable exe f8a0cc18117ef1d69eb60364662fed627b0722cc534e7c063261960b3806650c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/663172/
  
Dropped by
MD5 aaf73b32b274e9fd2c04450b1b9bca05
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/68742/
  
Dropped by
SHA256 a5167dbb64d365e27e88491ca55a07546c3a2f1718c7a98736fb3e18274d54ae

Comments