MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c8ea056cb229cc17d43217a6aba42320468cfaea55d6f9846b5f402bab6b06d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c8ea056cb229cc17d43217a6aba42320468cfaea55d6f9846b5f402bab6b06d0
SHA3-384 hash: 76b23e0fdeace8ca9818a40c681f40c9ccbb6f598ea53cf1f49f9548580fa37bcd087439df07f95cd74f25580a4a58dd
SHA1 hash: f5f854677202dc3ba2c7f82a2195cb085c82b24e
MD5 hash: 10406f69817d304806553237e812cf59
humanhash: asparagus-hawaii-ceiling-floor
File name:Purchase Order.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:94'208 bytes
First seen:2020-06-02 11:16:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4bb40864a31b215b430750c60010708e (3 x GuLoader)
ssdeep 1536:e4FO8lL5kiEsTrBPnD8WLzwKQwpkb/mNetO:KEpD8IzwPAT
Threatray 1'384 similar samples on MalwareBazaar
TLSH BD9308477AD45601F1B24A712FBB825AAF26FC294C469A0F340D394B3B31762996C73F
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: teyseer-services.com
Sending IP: 104.168.141.201
From: Khadirulla Shariff <khadirulla.shariff@teyseer-services.com>
Reply-To: Khadirulla Shariff <khadirulla.shariff@teyseer-services.com>
Subject: Purchase Order
Attachment: Purchase Order.img (contains "Purchase Order.exe")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=1LZ3T_Qk2zQPT_y0mEy8QFrfZnJBNKMYM

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/6081/
Gathering data
Threat name:
Win32.Trojan.Vbkrypt
Create hunting rule
Status:
Malicious
First seen:
2020-06-02 11:37:41 UTC
AV detection:
23 of 48 (47.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zdvak3fsfhgbpvbsc6tkxjbdebdiz6xkkxlptbdll5acxk3la3ia._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
12bae6b2d092fc8c776ea509d90b393df8e8f336214bb155f7e2d7f18beb4cb1
GuLoader
13393c26e42a0d09bbd796f3f9b5109dc0d2e7ff7bd7f4aac0aa0c879c5c123c
GuLoader
1ca43e5c33edbf126b18cd7603f5674dc45c9aa2d34efa41796a8f0f9a08b947
GuLoader
6f47b4825836d58654b05deac55c892825a83e479c406b9b027a0dc6bd8e3938
GuLoader
9d772f078ebff5dd18830b266cf39eaea44289e765d6290e8589e684a22d0946
GuLoader
a570592bf5a21c1f55712fcec60a0536fedabe28b409d9a48fdc499185e154ff
GuLoader
d7162b14867eff2ee6b1c0506f91c4e8c1a1cea0ddae632bd49156a179549772
GuLoader
d9ea7ed19010ef0c36ebd05d5abfd5624e21a33ad5e18ca36007671d86eba8b3
GuLoader
dbfdd9906827edada6d6bb63194a7b952f6e5f7592f59f2a9b7ff0dbe9dd01c0
GuLoader
dd7268284b041dafef56b6a8a4b565b3a0c54e1eaacc68121a1688e03798e72d
GuLoader
+ 1'374 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/201109-8zkj2bz5nx/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

img f76df6fbfe763902b61f6be764ec1b250d6e5351e63b0f155eec41e7e61cdae9

GuLoader

Executable exe c8ea056cb229cc17d43217a6aba42320468cfaea55d6f9846b5f402bab6b06d0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/374163/
  
Dropped by
MD5 ab3ff75bee3a74530d71f6e4a8719051
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/6081/
  
Dropped by
SHA256 f76df6fbfe763902b61f6be764ec1b250d6e5351e63b0f155eec41e7e61cdae9

Comments