MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ffdd9979e0fdcddd2224f3fd431b615ad3bc4f3e9211863a2cc41892caa69586. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 3

Intelligence 3 IOCs YARA File information Comments

SHA256 hash:	ffdd9979e0fdcddd2224f3fd431b615ad3bc4f3e9211863a2cc41892caa69586
SHA3-384 hash:	f1038045bf8fa22b23faf2d9410d62f00bc5c8e3b33a82e0a0872dee40434500bb21b63b533b4fc5307422810cd4b341
SHA1 hash:	20bd81f7390a317e279f106326162b1431d5abb1
MD5 hash:	a617d558c4c7a1fd1979dfba1380a34f
humanhash:	south-johnny-carolina-butter
File name:	Quo-657898_IMG.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	77'824 bytes
First seen:	2020-04-30 12:44:43 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	238f6146608dc1f840af9c5e376c003e (1 x GuLoader)
ssdeep	768:53wVax2KyTTmIOUhxNmTusbgKWcpF6K+SJGZ70LWOUukG:hlYBOawTuTKWcpF6K+iqAv
Threatray	5'685 similar samples on MalwareBazaar
TLSH	4873A51E6EE89DE2D022E570D851C19D80F1683805F37FC239095DDAE92B57EF718B2A
Reporter	abuse_ch
Tags:	exe GuLoader

abuse_ch

Malspam distributing GuLoader:

HELO: serversmtp0.hankar-tool.com
Sending IP: 23.254.229.196
From: Barzilay Sharona<zullydominguez@holdingderadio.com.py>
Subject: Fw：新訂單
Attachment: Quo-657898_IMG.xz (contains "Quo-657898_IMG.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Threat name:

Win32.Trojan.Rdn

Status:

Malicious

First seen:

2020-04-30 13:36:03 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 31 (77.42%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=77ozs6pa7xg52ire6p6ugg3bllj3ytz6siiymormyqmjfsvgswda._file

Verdict:

unknown

GuLoader

2c80924676beb57ffb753a576380eed1ec48e265a7843a52b08664463d890b61

GuLoader

337471a86433031e87027a6459fee04e490ddfc016d4d7eab062e0a1e09ca138

GuLoader

3f2c710a97bb42579ee2f9956437ff160a68bd787439fbc025ab3d6b46076d34

GuLoader

448379f1a0a59fa0a84180351e48559c9ed7ea6875cdd525782b714a77a2fff9

GuLoader

90a94255c2017221edd00cc99acd98a33e112e1182d9fd146d6a4ad9aa96921e

GuLoader

91ccab55a241292f119e41c55467b08fd4fdade44fe0f9a36b5ad66848491c46

GuLoader

98af60250a9e0cedaa66f04fe39c412bd0007855255547df68f5da46686c9ced

GuLoader

99b13841abbf0c2bf736ab08e0e7f48cd28cab2e69eff60399de65e0eced2e68

GuLoader

d4a6bde59452ed3c565535321cf37bd40fd1ad7a547ae2dddb555a3bfdfff236

GuLoader

+ 5'675 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

xz da3b10a94d023641cdbaef67f6a631b2a38e1f587e8ffc8bf7ace4b07d0627f5

GuLoader

exe ffdd9979e0fdcddd2224f3fd431b615ad3bc4f3e9211863a2cc41892caa69586

(this sample)

Dropped by

MD5 26929671259f60c85297295167dbe752

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 da3b10a94d023641cdbaef67f6a631b2a38e1f587e8ffc8bf7ace4b07d0627f5

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
VB_API	Legacy Visual Basic API used	MSVBVM60.DLL::__vbaObjSetAddref MSVBVM60.DLL::EVENT_SINK_AddRef

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample