MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd70366a0abed417301e2a312927e5697e8ded01a50c830b408978fb61ff9241. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fd70366a0abed417301e2a312927e5697e8ded01a50c830b408978fb61ff9241
SHA3-384 hash: bd710aaf4781f0f7c2a19954a1362791bc63b22e230e6e3dd2045351484f13bdf54eb912e3e0dca4d7541eb6b7bb97e9
SHA1 hash: 7114ee901d3a1d7eac082b8871e443681828b4ef
MD5 hash: d90ce2bea547248ca6ddc8c72bfa28e5
humanhash: oranges-quiet-emma-april
File name:Designs jpg jpg jpg jpg.scr
Download: download sample
Signature GuLoader
Create hunting rule
File size:90'112 bytes
First seen:2020-08-19 12:21:26 UTC
Last seen:2020-11-09 09:24:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c8149470224a75976a8a826a88225a14 (13 x GuLoader, 1 x FormBook, 1 x Loki)
ssdeep 1536:L7+Qi/5VQ+U/ZTOMMMMMM2MMBdqMMSaMMMMMMMMMMMMMMMMMMMMMMMMMMMM0tMM/:LZi/MvV
Threatray 435 similar samples on MalwareBazaar
TLSH 7493C5096889DEFAF374397409A66F9E90F8BC203457CDC26FE9388575F5E1848CA1C6
Reporter abuse_ch
Tags:GuLoader scr


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: slot0.ricksaezp.com
Sending IP: 104.168.173.112
From: info@ricksaezp.com
Reply-To: info@ricksaezp.com
Subject: ATTACHED FILE PRODUCTS NEEDED PLEASE
Attachment: Product_Me_Order_Pictures _pdf.zip (contains "Designs jpg jpg jpg jpg.scr")

GuLoader payload URL:
https://onedrive.live.com/download?cid=5624EA93AB8BAD8E&resid=5624EA93AB8BAD8E%21139&authkey=AHZF3gFTm8oMJ7o

Intelligence

File Origin
# of uploads :
3
# of downloads :
263
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/48492/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader34.25622.1892.25119.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Creating a file
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Deleting a recently created file
Setting a single autorun event
Unauthorized injection to a system process
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/437916
Signature
Contains functionality to hide a thread from the debugger
Creates autostart registry keys with suspicious values (likely registry only malware)
Drops PE files with a suspicious file extension
Hides threads from debuggers
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect Any.run
Writes to foreign memory regions
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 271448 Sample: Designs jpg jpg jpg jpg.scr Startdate: 20/08/2020 Architecture: WINDOWS Score: 80 57 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->57 59 Yara detected GuLoader 2->59 7 Designs jpg jpg jpg jpg.exe 1 2->7         started        10 filename1.scr 1 2->10         started        12 filename1.scr 1 2->12         started        process3 signatures4 61 Writes to foreign memory regions 7->61 63 Tries to detect Any.run 7->63 65 Hides threads from debuggers 7->65 14 RegAsm.exe 1 10 7->14         started        19 RegAsm.exe 7->19         started        21 RegAsm.exe 8 10->21         started        23 RegAsm.exe 8 12->23         started        process5 dnsIp6 33 landzro365groupe.com 192.64.118.122, 443, 49735, 49737 NAMECHEAP-NETUS United States 14->33 35 onedrive.live.com 14->35 37 awyy9q.db.files.1drv.com 14->37 31 C:\Users\user\subfolder1\filename1.scr, PE32 14->31 dropped 47 Creates autostart registry keys with suspicious values (likely registry only malware) 14->47 49 Tries to detect Any.run 14->49 51 Hides threads from debuggers 14->51 25 conhost.exe 14->25         started        53 Drops PE files with a suspicious file extension 19->53 55 Contains functionality to hide a thread from the debugger 19->55 39 192.168.2.1 unknown unknown 21->39 41 onedrive.live.com 21->41 43 awyy9q.db.files.1drv.com 21->43 27 conhost.exe 21->27         started        45 2 other IPs or domains 23->45 29 conhost.exe 23->29         started        file7 signatures8 process9
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fd70366a0abed417301e2a312927e5697e8ded01a50c830b408978fb61ff9241/
Threat name:
Win32.Infostealer.PonyStealer
Create hunting rule
Status:
Malicious
First seen:
2020-08-18 14:32:17 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7vydm2qkx3kboma6fiyssj7fnf7i33ibuugigc2arf4pwyp7sjaq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
13393c26e42a0d09bbd796f3f9b5109dc0d2e7ff7bd7f4aac0aa0c879c5c123c
GuLoader
549d741341e63a5b461b0244c3ecb5377d8d8c95fa9a2bfe9bb096950b7993e2
GuLoader
60d730b06261cc6a18827439b478c444addf4fe0511f2e60d60bbf1ae05c0542
GuLoader
65bd5f3bc433f60bfc5ea392aaa33539592d657cbe2d316b25b24c9e12c225cc
GuLoader
726156ccca0ba0077df20db0e438db482c7197d69453b890332ed69a9e509352
GuLoader
9bebd6b8400a02ec36958c8cf06d3abc659b462d482fca3df8a3a64e42b3e234
GuLoader
b2ad4bb1d6523d5541609a20280c7858ee9dbf33a206146082de81826efc8927
GuLoader
bc0a3976025579d4a076226c8b5b237e81eb42b558ce68855694c5963722acbd
GuLoader
ddf6f04276c1d976e62e199e6c928fb7a3d7aaec455a1859f8d8f605c89ffc64
GuLoader
ea816a801d2882a3da04ae2b9ac3e20e0959a95d18dfb17c55bb786b3ba2c743
GuLoader
+ 425 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/200819-egckg8rww6/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Adds Run key to start application
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/fd70366a0abed417301e2a312927e5697e8ded01a50c830b408978fb61ff9241

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip 2816b4cb7c5d8b87d1d56e855af0a2dba02782b7e6ac375a0ef41e1226147156

GuLoader

Executable exe fd70366a0abed417301e2a312927e5697e8ded01a50c830b408978fb61ff9241

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/436057/
  
Dropped by
MD5 a95e94aa91e2c6cddbbbc018572ee46b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/48492/
  
Dropped by
SHA256 2816b4cb7c5d8b87d1d56e855af0a2dba02782b7e6ac375a0ef41e1226147156

Comments