MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 122256cada458b72697ddcda3d76cb49671318a2e38e898f7f38aeb6f1a19cab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 3

Intelligence 3 IOCs YARA File information Comments

SHA256 hash:	122256cada458b72697ddcda3d76cb49671318a2e38e898f7f38aeb6f1a19cab
SHA3-384 hash:	ab642087c0ae99447f2d66b326b8f8ae1bb2980f69a246c21c2021d0325b735d2e0875dd57c712424558ba88cde8a605
SHA1 hash:	bc77e34f9e347d33cb79067faf8019a3fc5df7e7
MD5 hash:	47de2a067254fabff0b508b781b1699e
humanhash:	skylark-tennessee-orange-east
File name:	777504307241.GenesisAWB.PDF.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	94'208 bytes
First seen:	2020-05-23 11:52:45 UTC
Last seen:	2020-05-23 13:13:10 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	6a5e40fac5cd08b1948856cdd11fbb86 (1 x GuLoader)
ssdeep	768:mOY6MPWrlTPzelvV1II2EfAZL1MkcoSj3EP7IZjctUQ4:5YvQDzeR7b2EfAM76JtK
Threatray	1'533 similar samples on MalwareBazaar
TLSH	84930A25B551DDB6CA388FB18E36CB98152BBD3429944A0331D6BB3C2E3318D5B6734B
Reporter	abuse_ch
Tags:	exe FedEx geo GuLoader ISR

abuse_ch

Malspam distributing GuLoader:

HELO: ganesa.dua.rumahweb.com
Sending IP: 103.253.212.231
From: Fedex Station Admin Office <sales@estuadiarta.com>
Subject: [חיצוני]: הודעה על הגעה ל- FedEx על ההגעה - AWB # 770116605315 // צריך אישור BC23 ????????
Attachment: 777504307241.GenesisAWB.PDF.gz (contains "777504307241.GenesisAWB.PDF.exe")

GuLoader payload URL:
https://heavenfort.in/MY_XXX_VUVHawg214.bin

Intelligence

File Origin

# of uploads :

2

# of downloads :

74

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Variant.Ursu.878571.22007.308.UNOFFICIAL

Result

Threat name:

Unknown

Detection:

clean

Classification:

n/a

Score:

0 / 100

Link:

https://www.joesandbox.com/analysis/361549

Behaviour

Behavior Graph:

n/a

Gathering data

Threat name:

Win32.Trojan.Vebzenpak

Status:

Malicious

First seen:

2020-05-23 12:36:19 UTC

File Type:

PE (Exe)

Extracted files:

6

AV detection:

25 of 30 (83.33%)

Threat level:

5/5

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

guloader

Similar samples:

13393c26e42a0d09bbd796f3f9b5109dc0d2e7ff7bd7f4aac0aa0c879c5c123c

2215802f5deb432f07a1aeebb7eeeffdf18cc5a035b0315ea693b08a4dbf942d

5f8025bc323e672da091a43d6d7ddf8cc6d9e880ddefde5955d0cbafd0092c83

69e3e7a0726435f1d48dc9d56db3a3759fb038b9c8b7506ce48e5efc5460d839

7a3acd412036e1f071595f9ee144d45ee7dcc0a6f4fb8c6ed45022ec423e6061

803e96c5dc273ebc317b62354c790742fbb9807ee577e52790f293ed8298dde9

85efd0b4c3bb6232c4e075e99c46574b564785b0bdfa1b8bd91805922d91cef3

b5f6c2a230e8c24dd4859e076e8802d5785c6af1056388a3bb660d091c1437ac

ecab33f5998dc995c200750f575b8571ae2a9d00b8264ed557be2d651230064e

fa4d6e0887210c5f967d3349942cd846130e5c3c227e56cb0782ec4bc0d9bea5

+ 1'523 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-dhgjtng7ke/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks QEMU agent state file

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

gz 710c0f9d85b257932cceb0a3e8826b2a190d1e1dc10b9c155f14bada66e538a0

exe 122256cada458b72697ddcda3d76cb49671318a2e38e898f7f38aeb6f1a19cab

(this sample)

Dropped by

MD5 623a258bef20ffe6422162ad40d4de91

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 710c0f9d85b257932cceb0a3e8826b2a190d1e1dc10b9c155f14bada66e538a0

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample