MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 625d65e2f28c0eb382f79567e2688de8188fa6606f6add912c74305c6f560718. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	625d65e2f28c0eb382f79567e2688de8188fa6606f6add912c74305c6f560718
SHA3-384 hash:	3e05597f8cc7cfc413ce4ff45bcbaf7132aaddf6e5ec9a5992e6f47b3b571f923f36c9191e32a48585a38b62ade86fa7
SHA1 hash:	45af662730bf2912f7333c88b8fcce6872166460
MD5 hash:	4638c767c31b5b1e4c142c460ad7968e
humanhash:	lithium-item-blue-batman
File name:	777504307241.GenesisAWB_PDF.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	77'824 bytes
First seen:	2020-06-08 12:14:14 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2f526edf3118615c450f6dfbe7a3a069 (1 x GuLoader)
ssdeep	768:60ysfNpuRnnPilTjATMLCU3xjOpTkRXQJtEWx4Be3KOeMmZO0z/g/klFJk:60ysFY6TjMoCGcp0goKKNl
Threatray	2'251 similar samples on MalwareBazaar
TLSH	8F73BF176808C591F18046B2ADA39F9D2223AD385D06AE873B5D6F9FFC346C25CE532D
Reporter	abuse_ch
Tags:	exe FedEx GuLoader

abuse_ch

Malspam distributing GuLoader:

HELO: mail-in-pg1.advancedserverdns.com
Sending IP: 103.12.211.15
From: FedEx CCS <clearance_cs@fedex.com>
Subject: [EXTERNAL] : FedEx PRE Notification of Arrival - AWB# 770116605315 // Jakarta: Need BC23 Confirmation
Attachment: 777504307241.GenesisAWB_PDF.gz (contains "777504307241.GenesisAWB_PDF.exe")

GuLoader payload URL:
https://asmobilya.com.tr/AmHome_bhPixbUN54.bin
https://cmdtech.com.vn/AmHome_bhPixbUN54.bin

Intelligence

File Origin

# of uploads :

1

# of downloads :

84

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/7022/

Detection(s):

SecuriteInfo.com.Variant.Razy.681950.26137.30067.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Vebzenpak

Status:

Malicious

First seen:

2020-06-07 23:50:28 UTC

AV detection:

27 of 29 (93.10%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=mjowlyxsrqhlhaxxsvt6e2en5ami7jtan5vn3ejmoqyfy32wa4ma._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

guloader

Similar samples:

0494c6b3493335509d5fdce6d9592d796e592fee648f42dded58ddc29e3565a1

168cd5b5e4d1dfec48777cdc97b74c7b33dca67d176f9add9bb94fa89905db38

23eb70abd818d93364ae2f896425d05fd38788c54429f874fabade1671b267b6

63a5b27aaccab499d4e56d6606d9495484685be3f63817f9e90a61330bcffe38

a7b55b6bfafb6d370f94ff25e294f90d28818a1842ecad4546d18334c616cb97

b282b41544510e59a40e875239a18b038243be344b1439e19d821eb7622e9230

bf6d2e90c5fd6b327f1e513402eb01491ac8487b682243450ad684de5e6e62d4

d05800ab82af8100fbb6ee66729de2aa580f8acde780df49ef14b4213f316e87

e0a55cba6885e046f0eb064179877af39b10f3d8cc74b8c697ea7c8cda6ab739

f888221496147b75d54210c499498b02780082a4e241575c7374adf58c38d902

+ 2'241 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-8fjsftdahn/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

gz fea2a26f72ed580028039f7c3b30b76ec2af5ca9d60a62894c9e3c6fbf65bf1d

exe 625d65e2f28c0eb382f79567e2688de8188fa6606f6add912c74305c6f560718

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/370271/

Dropped by

MD5 4c88b4c4c11099512695baee3cfeb96a

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 fea2a26f72ed580028039f7c3b30b76ec2af5ca9d60a62894c9e3c6fbf65bf1d

Cape

Cape

https://www.capesandbox.com/analysis/7022/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample