MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5f6c2a230e8c24dd4859e076e8802d5785c6af1056388a3bb660d091c1437ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	b5f6c2a230e8c24dd4859e076e8802d5785c6af1056388a3bb660d091c1437ac
SHA3-384 hash:	71befebeb0dae4b17b7e765f431fcf8d9e45e87aa31180fe1461a4889c26faf38dc9fc0a09b107e498298b442521c93c
SHA1 hash:	ae174ad9d8638191dd732f851824833c6579acde
MD5 hash:	90ce0f474374981b8878cbf7b91e0bdc
humanhash:	lactose-wolfram-west-florida
File name:	QUOTE.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	94'208 bytes
First seen:	2020-06-02 11:20:49 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	1f0830c0a7b18076342bf5c4179b06c7 (1 x GuLoader)
ssdeep	1536:FdFO8lL9atVvjxuRtKlB9SXeJ8SLzwK9wEEPL6JXGhbR:batBcKlvD8UzwmLeR
Threatray	2'582 similar samples on MalwareBazaar
TLSH	809308037AD44505F1B24A706EBB82696F15BC2E4D429A0F790D1A4BBB317A39C6D33F
Reporter	abuse_ch
Tags:	exe GuLoader

abuse_ch

Malspam distributing GuLoader:

HELO: whm.mastertindo.com
Sending IP: 103.103.192.221
From: 최용현(CHOI, YONG HYUN) <yonghyun@dsme.co.kr>
Subject: 견적 요청
Attachment: QUOTE.zip (contains "QUOTE.exe")

GuLoader payload URL:
https://cor.sehablae.com/man.bin

Intelligence

File Origin

# of uploads :

1

# of downloads :

67

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Loki

Link:

https://www.capesandbox.com/analysis/6100/

Gathering data

Threat name:

Win32.Trojan.Razy

Status:

Malicious

First seen:

2020-06-02 00:47:28 UTC

AV detection:

16 of 31 (51.61%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wx3mfirq5dbe3veftydw5cac2v4fy2xravryri53mygqshaug6wa._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

guloader

Similar samples:

122256cada458b72697ddcda3d76cb49671318a2e38e898f7f38aeb6f1a19cab

13393c26e42a0d09bbd796f3f9b5109dc0d2e7ff7bd7f4aac0aa0c879c5c123c

5f8025bc323e672da091a43d6d7ddf8cc6d9e880ddefde5955d0cbafd0092c83

69e3e7a0726435f1d48dc9d56db3a3759fb038b9c8b7506ce48e5efc5460d839

7a3acd412036e1f071595f9ee144d45ee7dcc0a6f4fb8c6ed45022ec423e6061

803e96c5dc273ebc317b62354c790742fbb9807ee577e52790f293ed8298dde9

85efd0b4c3bb6232c4e075e99c46574b564785b0bdfa1b8bd91805922d91cef3

893ef71a58da9c450161aa56fddb97cd0e9c377f94a55e1d71a42569ee085de3

ecab33f5998dc995c200750f575b8571ae2a9d00b8264ed557be2d651230064e

fa4d6e0887210c5f967d3349942cd846130e5c3c227e56cb0782ec4bc0d9bea5

+ 2'572 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-d7v5r5r39a/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 1f86ae518180a446b6512634165900094f510d6f55eb32a61e593b948b5905db

exe b5f6c2a230e8c24dd4859e076e8802d5785c6af1056388a3bb660d091c1437ac

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/374170/

Dropped by

MD5 411185067af1c689e07919d1899420c6

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/6100/

Dropped by

SHA256 1f86ae518180a446b6512634165900094f510d6f55eb32a61e593b948b5905db

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample