MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 859cc79621eca1e9b1bc85a569d0ddfcdf83440090e8e4ed7aa8054e2c9c460a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	859cc79621eca1e9b1bc85a569d0ddfcdf83440090e8e4ed7aa8054e2c9c460a
SHA3-384 hash:	1d00394e4f1cda87971068278fecb55efff1cc0bc47fc43d85b6627da53511151352a05b9aa6ce2b3e87a1d400724ce0
SHA1 hash:	179c5ff56dc073b29b898931ce652ffa5ae47594
MD5 hash:	5c64282400f87cfaca780f73582d5cd5
humanhash:	sodium-quebec-jersey-ink
File name:	MTO_QCXP00004_04R4_Al. Alloy Plates GR 5083_H321.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	94'208 bytes
First seen:	2020-06-02 11:16:41 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	af2343e8b7d780906fb6f2f1c2a82c56 (1 x GuLoader)
ssdeep	1536:i0FO8lLd1F9WPNB+cR8CLzwKQwZMyn/iQ1FV:Pts78kzwP9A
Threatray	5'845 similar samples on MalwareBazaar
TLSH	CD93F8076AD49601F1B24A716EB7C2A96B25BC290D43DA0F354D2E4BBB307529C6C33F
Reporter	abuse_ch
Tags:	exe GuLoader

abuse_ch

Malspam distributing GuLoader:

HELO: mail.cesosenintl.ml
Sending IP: 64.188.23.5
From: Sanjay Anchan <sanjay.anchan@protosindia.com>
Subject: Firm requirement—Rafael—Raw Material—QCXP00004/03 R3 & QCXP00004/04 R4
Attachment: MTO_QCXP00004_04R4_Al. Alloy Plates GR 5083_H321.rar (contains "MTO_QCXP00004_04R4_Al. Alloy Plates GR 5083_H321.exe")

GuLoader payload URL:
https://secure.drivebookers.com/kali_UfquusEKt204.bin

Intelligence

File Origin

# of uploads :

1

# of downloads :

68

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/6082/

Detection(s):

Win.Dropper.Vebzenpak-7995201-0

Gathering data

Threat name:

Win32.Trojan.Vbkrypt

Status:

Malicious

First seen:

2020-06-02 11:37:28 UTC

AV detection:

25 of 48 (52.08%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=qwompfrb5sq6tmn4qwswtug57tpygraasduoj3l2vacu4le4iyfa._file

Verdict:

malicious

Label(s):

guloader

Similar samples:

043ba161ac2f0d30c5a15799d3ce26ec63989d278f58867aeff64ce7ecb41f42

17ccd5b98d29f09cde5b49fee52602ac5e95c462c68f09c5f07d12d8a8cd8e0f

223bbe1af0d09289a1ebeddf78e3218fcae28d0a69c291d66fee5fa29337844a

3259355435f9e6a9b041b93c2faa1ad8a3867de478a436606702593e4e130dd0

5628310c6fe718d77dadbc5c8cb6238faa27942517b590c2a87c07aadca429d6

6604738347de31acf8c045750f89e3f8e1bf57e29007dbc0fd7e21fb4d7e9aa3

93d64ba68ed0dc9c138a80d867806691f14c10c3a98522c7fbe1a442b3f50f1a

b05998bc4d111c80719ab38c75918662f8151fd5e5e223cdc90f0d97caad3b6e

cbd23ab3964e6425f0068a39d6f15dd86708c1bd091912e9229c1840e75ec70d

ebe7e1de6e345ed9445e0d8a11241d13cb92a7df15fc5f05a6c5d6bbf9d3244b

+ 5'835 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-87tahbntwa/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar 91cdb83cec82b49276450d15264766977fa78b39a5a682d0b421077ad2121d31

exe 859cc79621eca1e9b1bc85a569d0ddfcdf83440090e8e4ed7aa8054e2c9c460a

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/374162/

Dropped by

MD5 5d139a06aaccebb3bf02fe722b6e1149

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/6082/

Dropped by

SHA256 91cdb83cec82b49276450d15264766977fa78b39a5a682d0b421077ad2121d31

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample