MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2786efe3773e80f8c604fcc48b4f24911d86c7d5b1df5d19c4e17b1002255e64. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 3

Intelligence 3 IOCs YARA File information Comments

SHA256 hash:	2786efe3773e80f8c604fcc48b4f24911d86c7d5b1df5d19c4e17b1002255e64
SHA3-384 hash:	747a562bda96cdfcec1bb664fbdc924d9cb2a15f84856a237f6dc9aa70fc1cc9f3c0d909cb9cc570845f01b3e1e6a7a6
SHA1 hash:	78bf12da0283d666144f35bfa22a3b65b1e7929f
MD5 hash:	1558c0c75be9ddfc0d9a6b3a72a12ed3
humanhash:	nineteen-minnesota-oklahoma-georgia
File name:	ID00501Q0395524IDJKT_pdf.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	90'112 bytes
First seen:	2020-05-22 10:15:26 UTC
Last seen:	2020-05-22 10:52:24 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	4eb9e228ad2d938db0f96c7fd5002208 (1 x GuLoader)
ssdeep	768:V84DterE6ZaeSnpiZ2ClZq50qAAQLwoPSq8Njppa38DT3N8BrlC7INGB:2Yle0iZKm3A0wgSq8pppaPlJ+
Threatray	1'614 similar samples on MalwareBazaar
TLSH	AF933901F850ECB6ED104EF14E614AD4056FBC791A290B2B34987F9D7B37EE15A6132E
Reporter	abuse_ch
Tags:	exe GuLoader SCB

abuse_ch

Malspam distributing GuLoader:

HELO: 167jiv71v.ni.net.tr
Sending IP: 95.173.179.167
From: Standard Chartered Bank <send@asmobilya.com.tr>
Subject: SUBJECT:Advice from Standard Chartered Bank
Attachment: ID00501Q0395524IDJKT_pdf.gz (contains "ID00501Q0395524IDJKT_pdf.exe")

GuLoader payload URL:
https://fvkreklam.com/my%20okao_OExXxsd33.binhttps://cmdtech.com.vn/my%20okao_OExXxsd33.bin

Intelligence

File Origin

# of uploads :

2

# of downloads :

75

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Variant.Ursu.878098.29590.5300.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Injector

Status:

Malicious

First seen:

2020-05-22 11:02:35 UTC

File Type:

PE (Exe)

Extracted files:

6

AV detection:

23 of 30 (76.67%)

Threat level:

5/5

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

guloader

Similar samples:

010178bde9e8366d4f93c28ab8a65a7acb802353f9370de9a807ed621fa3d24d

23f8a240f24779895ffce4e489da04e8cc2c705b2311e13a44432a6ef1b1b430

53e239b6031b90ba0da5ad4913eccc1d651ede3bb4b5c21a02d81387f48303d6

72cba3fc465152c8ca9ddf2de472974ad26c0881ba3b85735358381c862cb3a9

8d88c99ff33ecbed42e4185b925f890a616aa0307a559d61595ab67dae6a1a09

8fa47ee760cf1c21de132ec77eef49282a2312f197aba6026ee1de750051014b

a077d38903221c844f9f20a8c6e022a3242445b85faa55e8e650b7a727e048ae

ceaa099f2a2de97a363ef5f7cd4e42fc5f362113a470db75d69848e24a52b14c

e43b2e9112cfdb0636686ec8994eaf717d159d10daefda23f11588a424468e90

e7e511b27ab7c95f959c45346cc2e4d79251e238e8e57df181be987036bfcdf5

+ 1'604 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-89hrhd7d1e/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks QEMU agent state file

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

gz 6789d90b69f71c6f867c1e0ae5add5d14b8cb81ed48b11bb70e8d895cd86891a

exe 2786efe3773e80f8c604fcc48b4f24911d86c7d5b1df5d19c4e17b1002255e64

(this sample)

Dropped by

MD5 229f744b472f6c9d129f544c9769a29a

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 6789d90b69f71c6f867c1e0ae5add5d14b8cb81ed48b11bb70e8d895cd86891a

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample