MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf5a86737ab13ec2ea858e0d7c635c3a3c79d1deda05e79a81dd1b470dcb0942. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments 1

SHA256 hash:	cf5a86737ab13ec2ea858e0d7c635c3a3c79d1deda05e79a81dd1b470dcb0942
SHA3-384 hash:	748cb830452498ed7e955104276f2cc5fbc57fede81207b1e6d220570a893d7ec8170f2497f6cd7a9da6a85392270613
SHA1 hash:	d21c694dd285157d9dda0e8abdcedada5594a068
MD5 hash:	785dd0e1472e6f0dc6f78c9e98f55671
humanhash:	grey-muppet-uranus-mississippi
File name:	PLanilla de Facturacion Mensual 2020.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	114'688 bytes
First seen:	2020-05-26 13:45:34 UTC
Last seen:	2020-05-26 15:24:31 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	0c33c5b6c23258752d6300239a539326 (1 x GuLoader)
ssdeep	768:Pw3KucK9IS6v3GyVJQ+NbT7l9CLNCf9FH1l3Hv4Vi2a3AHAS:a+K9OWlop98wvHrHvuY6
Threatray	5'119 similar samples on MalwareBazaar
TLSH	30B3181B34D14C72FC7C9BF658F195640D66AC003E0E4B2FB508FE6C297768A68A4B97
Reporter	abuse_ch
Tags:	exe GuLoader

abuse_ch

Malspam distributing GuLoader:

HELO: mail.strongmailvault.com
Sending IP: 111.90.144.220
From: Bárbara Pavez <bpavvez@alternattiva.cl>
Subject: PLANILLA DE FACTURACION HASTA ABRIL 2020
Attachment: PLanilla de Facturacion Mensual 2020.img (contains "PLanilla de Facturacion Mensual 2020.exe")

GuLoader payload URL:
http://kuroilersuganda.com/bin_OCtwVXZv132.bin

Intelligence

File Origin

# of uploads :

2

# of downloads :

77

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/4937/

Detection(s):

SecuriteInfo.com.Trojan.Heur.VP2.hm0@aibk@Ulb.2456.5487.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Injector

Status:

Malicious

First seen:

2020-05-26 14:36:06 UTC

AV detection:

27 of 48 (56.25%)

Threat level:

5/5

Verdict:

malicious

Label(s):

guloader

Similar samples:

2047ecb45a1bd7dad219077cd5446bffc34fdc7acad3d3293c576fc187b08996

3ec51daa2ad133cfcdce1ffca7081f96ee58d9b5c2d302cee732e6e2cc3d8cc6

5da7735fc8be010eaed89e5776cabe530402d4c6d0c6e5c5de515f12e05081f8

5f657de9b0eaeb9eabf6d18a202f7b8c7daafd71d03387366069fe9ebd5f282a

6830866e2d41b970c95172f9a156522c72cfd238f846c02c19827b2100fc5deb

8ffe1634ec406dc2f1db74d9dd90ddf64b3abf2e42d491406b758d177747213a

9c0d3c463792d704909de3a04cd7a6d31f8094301e8e24950af31cdc5e9f2838

b3349406861e76bfb84f4757a646c3fe94eb5e1cd27abeeffa48aabb6c8fa4d5

dc9313eb1e94d26aae9ad9f8e5310589092b1a29f0436017417c3ad3e4f42e0d

e8d41df74484529065bad33443225cf40b05423b7cd4b0af478043c13394750e

+ 5'109 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-wqq1sktg6j/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

img 67b041fe801af70a364529f094c370e1a2645c00f88155ac7ec57f43acd5220e

exe cf5a86737ab13ec2ea858e0d7c635c3a3c79d1deda05e79a81dd1b470dcb0942

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/369192/

Dropped by

MD5 29a5eb31231baf2c6feed2cccc6c4843

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 67b041fe801af70a364529f094c370e1a2645c00f88155ac7ec57f43acd5220e

Cape

Cape

https://www.capesandbox.com/analysis/4937/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

CAPE Sandbox commented on 2020-05-27 05:50:14 UTC

#Formbook

https://capesandbox.com/analysis/4937/