MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9059531fbff89a14fc3761330cac92437bee44349e6b62e7e807422b4c57e2fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9059531fbff89a14fc3761330cac92437bee44349e6b62e7e807422b4c57e2fe
SHA3-384 hash: 603678b4b6d070924ff4a6efa9b7947017124f1c2a1078a6be049557dd351369270319150df8ead2a35cee98162759e9
SHA1 hash: 4e5043186373323263e8698298e3e7debaec50fb
MD5 hash: aca370cb867228cb76446a8c1caa9de3
humanhash: four-uranus-muppet-maine
File name:Payment Advice.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:98'304 bytes
First seen:2020-05-04 20:46:15 UTC
Last seen:2020-05-04 21:51:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 94b3f8fbaa59986ab6681159cf1d9467 (1 x GuLoader)
ssdeep 768:Tb1Oae3+kUnVZWCX15E4x9L/AxMPTaaYkgadDOFqyVXLI1WxNdAMQo+y3XFcqKly:gsVZWCl5E4x9ngVXs1WVxXhTkU
Threatray 442 similar samples on MalwareBazaar
TLSH 15A30B92B7E4900AFA255AF61B68D3E44052FC399C421E833AC4372E7A32D45FA5177F
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: pleskl36.axarnet.es
Sending IP: 91.142.210.104
From: Liu Ying | Hofmann Chemie GmbH<expedition1@hofmannchemie.de>
Reply-To: <expedition1@hofmannchemie.de>
Subject: AW: SHIPMENT ADVICE/ PAYMENT
Attachment: Payment Advice.zip (contains "Payment Advice.exe")

GuLoader pushing Loki

Loki payload URL:
http://castmart.ga/~zadmin/xcloud/gold_TtBaWDj152.bin

Loki C2:
http://allenservice.ga/~zadmin/lmark/gld/link.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.44213.9459.24962.UNOFFICIAL
Create hunting rule

Win.Trojan.VBGeneric-7750994-0
Create hunting rule

Win.Malware.Generic-7751004-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-04 08:02:26 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
25 of 30 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sbmvgh577cnbj7bxmezqzlesin564rbutzvwfz7ia5bcwtcx4l7a._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
10a4f9b83eb6a7b8ba130f7a9c8c813dee4bfde798f4c7cc539bc35ca18c5821
GuLoader
14bd280177ece118d671795a8b372a0d7de0f3ad3b842ed35726d9b587cb1608
GuLoader
39067a6a8ac06d60189b34afbb9acd73e8e33aba91653c39a037c2f78f972f29
GuLoader
40950dcb88e56bcea0e542f297d60fe5a96d410473ec3fe51e9234b40304d329
GuLoader
473f59e503b660f8b9cd8f4a36f955f59cc9b0ee19dec2570d9a907c22df1907
GuLoader
61bc9714c9d544e67950671f9bf407264caa04db3b82db8deb5ee40e73921e76
GuLoader
7051cafeb459d49b51e160e4dab61b346325159efeec3c734a7131d8e96c3c14
GuLoader
9028aeddf4c76b16753ea37720bae4088308671214e6cf192705622cf07d41e5
GuLoader
eaf38de6ac4347ac84bcbe648301fedfe021aeafbc3bf40404a4003117a8967a
GuLoader
f573cf3eed6dc5635fd82f657a0912c151e2762188e71d161bf173bd40abaa3d
GuLoader
+ 432 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-pmz7a1b7cn/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks QEMU agent state file
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip 7f98ce61abb190828de566e219c83d424bd8598864094e701455b255828967b6

GuLoader

Executable exe 9059531fbff89a14fc3761330cac92437bee44349e6b62e7e807422b4c57e2fe

(this sample)

  
Dropped by
MD5 8797fd0e203725c47e17b6dd1e5977a6
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 7f98ce61abb190828de566e219c83d424bd8598864094e701455b255828967b6

Comments