MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1001c873070cced8d9bb50e6f38cb0bdf9aa60eec13216df00297616a8c0acc0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1001c873070cced8d9bb50e6f38cb0bdf9aa60eec13216df00297616a8c0acc0
SHA3-384 hash: 0daad41ae243868c2a04e02b4a039d674b138e93b6c18a7e5d3ad102de55a1d9060c3366784723f94e148442e8850986
SHA1 hash: 0487e8089c0790f47afb27742264a20d5acd49cb
MD5 hash: 2b7cae68e671d927809b5087f9f50f40
humanhash: quiet-oranges-uniform-fourteen
File name:Liberationistin.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:114'688 bytes
First seen:2020-05-28 07:00:51 UTC
Last seen:2020-05-28 08:22:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f729639b7677a35c9f8b67023b2cbe5e (1 x GuLoader)
ssdeep 1536:H9PteiiInxdRFgS1qNTKFaK/OZIua0xLZ4U5i/YKEVoyF:JteiDcgtFaK/DuVxu3+ou
Threatray 382 similar samples on MalwareBazaar
TLSH 37B30A2774E08CBAEF34C9710D229EE52C27BD216E425F0F3587FB0D25362A739A1646
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: nsmail.psa.gov.ph
Sending IP: 202.78.94.66
From: Nashad Noor Nilambra <nasad.noor@cppmde.com>
Reply-To: Nashad Noor Nilambra <rahmati@kitoenterprises.co>, Nashad Noor Nilambra <sw4629342@gmail.com>
Subject: Project: BAB Integrated Facilities Project (BIFP) Closing Date: 30th May 2020
Attachment: RFQ DOC 7800000174.IMG (contains "Liberationistin.exe")

GuLoader payload URL:
https://onedrive.live.com/download?cid=F5533CD060D35070&resid=F5533CD060D35070%21163&authkey=AINnNbxdElpMFHs

Intelligence

File Origin
# of uploads :
2
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/5790/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader33.47053.1085.28320.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-27 19:23:59 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
23 of 31 (74.19%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
1c6c9635f0c01cc93b504293351215058cf9ef8b62ca38ce71012a4875fbe0a4
GuLoader
3712c1a9e9ab864ee28897d0802179db4a2f664f61629f1154437640be377530
GuLoader
4067a43c3518dd21e937615d4d05115eeb11a15691ebb1197222221b5cdf9e9d
GuLoader
af8343cc25fb243e378897bcf5c22ff94287610ae86538862feb362e2382b456
GuLoader
b022be4adc35569368e23da7b344c4f9a4ce9efffaf1013d1fc778cb2b58f67f
GuLoader
c85e13a5030bcd0c8173ef7ff6939690fe9638fa25d3c89cbf1e1e95a89db997
GuLoader
eddacc373c3a12d02cfb1398299eaa3bbb815e090eb8640883dbc67adcd23a80
GuLoader
eecaf5677c5c21d268261eef35a819549dda3c454e9b60e368070aa3bfd2f54c
GuLoader
f5a50a90c27cf750df26867951d71dca1d8d7c80505c484446173be314f89443
GuLoader
ffaecfe0e94157f82c2c6b162c2e97c081d2d6c7d64bab85cea7ec9684dde8c5
GuLoader
+ 372 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-7vf4pqbn3n/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

img 2c18e29bb3df82a2c80d2b4679e079972ca301b239131abff0d9dfdf3917ea2c

GuLoader

Executable exe 1001c873070cced8d9bb50e6f38cb0bdf9aa60eec13216df00297616a8c0acc0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/370085/
  
Dropped by
MD5 3f46f856950c25e72add9fc6a3b55d3a
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 2c18e29bb3df82a2c80d2b4679e079972ca301b239131abff0d9dfdf3917ea2c
Cape
Cape
https://www.capesandbox.com/analysis/5790/

Comments