MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b596016d60a01e5fb98389d4d8fb68acf6bd7ffd43726c39532da508073a9a3c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b596016d60a01e5fb98389d4d8fb68acf6bd7ffd43726c39532da508073a9a3c
SHA3-384 hash: 346e837118fab537515684329dec7079e62c5d076d5eb29329b4c89aa6c3e16261f22f54600b1baeefabf8acb4806b75
SHA1 hash: 7d4205eb9a49fd2b3a9d6ff2464a21feb52d5412
MD5 hash: 3cfb1724ae74a6f884461fe54edb6f8e
humanhash: solar-magnesium-pasta-fix
File name:Maersk KPR_Draft_Bill_of_Lading.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:77'824 bytes
First seen:2020-06-08 05:30:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9586d49ee8f6d21c87ca2b0e943f4afb (1 x GuLoader)
ssdeep 768:hbysfNpuRnnPilTjATMkXFukZ6uJUHMTkRXQJtEWx4Be3KOeNqar1zXgNI8PPW:hbysFY6TjMHut0UHM0goKKVqkQP
Threatray 5'152 similar samples on MalwareBazaar
TLSH 5F73AF23FC14D512F30146717D938F4A2716AD286D026ADB778F5EAFEC706C6ADA022D
Reporter abuse_ch
Tags:exe FormBook GuLoader Maersk WeTransfer


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: sta.staunchvaluededicated.com
Sending IP: 162.214.70.141
From: WeTransfer <usetolif@jsrnana.com>
Reply-To: WeTransfer <usetolif@jsrnana.com>
Subject: Maersk KPR_Draft_Bill_of_Lading PO_1218103#XML_36425762
Attachment: Maersk KPR_Draft_Bill_of_Lading.rar (contains "Maersk KPR_Draft_Bill_of_Lading.exe")

GuLoader payload URL:
http://ratamodu.ga/~zadmin/group/sen_AIYKO236.bin

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/6947/
Detection(s):
Win.Downloader.NetWire-8010885-0
Create hunting rule

Gathering data
Threat name:
Win32.Spyware.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-06-08 05:32:05 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wwlac3lauapf7omdrhknr63ivt3l2775inzgyoktfwsqqbz2ti6a._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
25cafcbe57ac5344ade543948fbba1f8a5b99d424af61a7d4e9d806e7c66f79d
GuLoader
30bbf2043054b92e495bbd55f67e43b8eafce430bf31d8aaa4899385e503cdbe
GuLoader
4c841c5e0c2382fae670d7f41f7a75f8d8b2c1a03ff7d7c31eff98c1d9912308
GuLoader
50644eb4c3d4ce7aa1074c0096b43b2c4e7aaff4ce9e9a650c62ae934f85c081
GuLoader
97d8ae62cb751e857b04d9eaa68ee2acce3d7243009bdb04639a729cdfc7cbf3
GuLoader
be4614de71b42f1015076a3c708c09f911091333bdca1792450eccddc5ab1484
GuLoader
c6aeb4ac138f69e967b712ddf91b7d5b2339e3a97d4fce6f7d48379745e2cb2e
GuLoader
c7544c2d4180660fc3a96f3b66b5caa0e168dcfbb35a870f1c576a152ed62348
GuLoader
d11cef47f0e97409844b3bc448cfabcfd7f97a4289012ba50e4b7175f5f4c870
GuLoader
e1ef53521aed004fe790b232883a12cb5f241ead4c81718b08ac0150323563d4
GuLoader
+ 5'142 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-jfbn63hpa6/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

rar e2bfc878c24b0c81c5f22af8f54eae1fa4abf218840861ecd293e79e50131291

GuLoader

Executable exe b596016d60a01e5fb98389d4d8fb68acf6bd7ffd43726c39532da508073a9a3c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/379341/
  
Dropped by
MD5 4bc0419575a3b08e02515e55ce1a7918
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/6947/
  
Dropped by
SHA256 e2bfc878c24b0c81c5f22af8f54eae1fa4abf218840861ecd293e79e50131291

Comments