MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f8025bc323e672da091a43d6d7ddf8cc6d9e880ddefde5955d0cbafd0092c83. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	5f8025bc323e672da091a43d6d7ddf8cc6d9e880ddefde5955d0cbafd0092c83
SHA3-384 hash:	37b5ae5d5673eb0a7354aba2af92bec6bf963faab36b402ea68b5c18aa29c6948678b58dbf4c9b581f7f9936795cd3dc
SHA1 hash:	90ff383ffa88958ae008075a470235f1b8a8491b
MD5 hash:	a9fc64ec7c202d88678e637da9f2fd0c
humanhash:	ack-venus-seven-nebraska
File name:	Faktur Bangun Nusa Mandiri.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	94'208 bytes
First seen:	2020-06-02 11:19:24 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b2c2ba3c1fb1d585bc8a9256f23e00b5 (2 x GuLoader)
ssdeep	1536:gdFO8lL+sfUBSalKLzwKQwcnvp/P3a36J2:9vl8zwPvFU
Threatray	2'260 similar samples on MalwareBazaar
TLSH	E09318037AD48602F1B24A712EB786A96F25BC194D438A4F354D1E4B7B317A79C6C32F
Reporter	abuse_ch
Tags:	exe GuLoader

abuse_ch

Malspam distributing GuLoader:

HELO: ns1.mgrserver.com
Sending IP: 119.235.30.7
From: Unipower <unipower@almari.co.id>
Subject: PT.UNIPOWER PRATAMA - INVOICE 073/I/VI/20- PO.9100532496
Attachment: Faktur Bangun Nusa Mandiri.gz (contains "Faktur Bangun Nusa Mandiri.exe")

GuLoader payload URL:
https://asmobilya.com.tr/AmHome_bhPixbUN54.bin
https://cmdtech.com.vn/AmHome_bhPixbUN54.bin

Intelligence

File Origin

# of uploads :

1

# of downloads :

68

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/6094/

Gathering data

Threat name:

Win32.Trojan.Vbkrypt

Status:

Malicious

First seen:

2020-06-02 03:25:21 UTC

AV detection:

16 of 31 (51.61%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=l6aclpbshzts3ieruq6w27o7rtdnt2ea3xx54wkv2df27uajfsbq._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

guloader

Similar samples:

122256cada458b72697ddcda3d76cb49671318a2e38e898f7f38aeb6f1a19cab

13393c26e42a0d09bbd796f3f9b5109dc0d2e7ff7bd7f4aac0aa0c879c5c123c

2215802f5deb432f07a1aeebb7eeeffdf18cc5a035b0315ea693b08a4dbf942d

69e3e7a0726435f1d48dc9d56db3a3759fb038b9c8b7506ce48e5efc5460d839

7a3acd412036e1f071595f9ee144d45ee7dcc0a6f4fb8c6ed45022ec423e6061

803e96c5dc273ebc317b62354c790742fbb9807ee577e52790f293ed8298dde9

85efd0b4c3bb6232c4e075e99c46574b564785b0bdfa1b8bd91805922d91cef3

893ef71a58da9c450161aa56fddb97cd0e9c377f94a55e1d71a42569ee085de3

b5f6c2a230e8c24dd4859e076e8802d5785c6af1056388a3bb660d091c1437ac

ecab33f5998dc995c200750f575b8571ae2a9d00b8264ed557be2d651230064e

+ 2'250 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-y2c3tjpe4x/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

gz 6fb5c63d9b022ede3b8fecbf58b0d93b9575ee5fb1aeac0cf080997133316eb8

exe 5f8025bc323e672da091a43d6d7ddf8cc6d9e880ddefde5955d0cbafd0092c83

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/370271/

Dropped by

MD5 ebe8e230685da5ee0fb02c2424fc6b8f

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 6fb5c63d9b022ede3b8fecbf58b0d93b9575ee5fb1aeac0cf080997133316eb8

Cape

Cape

https://www.capesandbox.com/analysis/6094/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample