MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 efac718d57cdb1b9c1e08aadd1def7e1754a8466de7abc52912accec70c46a87. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: efac718d57cdb1b9c1e08aadd1def7e1754a8466de7abc52912accec70c46a87
SHA3-384 hash: ef8b097e0d1e8a4837a8ddda25bb0b13311f9b707c54638fa331087dce05792565fb1db5b2db861749b0c1cc6c672b5a
SHA1 hash: 60daa73924fbcc36e278a6dd3722a258acc5ae6c
MD5 hash: 1c2cf01389308ecc6248307569eada0d
humanhash: crazy-carbon-nebraska-seven
File name:villighedb.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:98'304 bytes
First seen:2020-05-21 15:34:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3904f19e546dfe8c523cf53826e62b50 (1 x GuLoader)
ssdeep 768:JINDFu2S9x6rQrN35dK5R3iDVrBkL5KDJ5+uZwq54yuDna37WFD3:8Ql36U1NBkYDX+uZhEDa37WFj
Threatray 128 similar samples on MalwareBazaar
TLSH 36A329253924EEB1C8298BF1C9708E74151BFD7927615A43BDCB7B1C2E3248AF91A347
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: server.example.com
Sending IP: 103.114.106.250
From: Jason Bourne <admin@mogioan.cf>
Subject: 回复: 回复: ORDER CONFIRMATION
Attachment: Quotation_images.rar (contains "villighedb.exe")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=1ovKVpChESCpaA_RXMgvjSy3b7a6K7NNd

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-21 15:35:48 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
19 of 31 (61.29%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
1863d7653d364f73e1690e3e6ac086b070db17f588ca38db0111b58ad5fccbdf
GuLoader
1dccde0289f175d1d41140302e71242ae0ea250bdc580767256da69f7cb319ff
GuLoader
453dacb9349991ae41f06e03837a54f188f0c60869b2bd6c187a46629d4bbd55
GuLoader
661f829dfec414d0aa55c8d2fecfbb608d15b52554646501620975dec7103cb4
GuLoader
67283e72feeed3ec5c8b7314fd13fe8936a1bf2bc8bde5fb54048c630a57598d
GuLoader
6a5303bb0ea9067e348cb7bee1db4740682b5a3e37822d09d9b80783f64a5569
GuLoader
83c07662096e054ff35d85892e828e2f4127015e0d940e88c3c0cf30ac655bc7
GuLoader
8ab8e638e67326a2635951855e466a9df0a3c699da6a51c7feedb143fbc8a6bc
GuLoader
b022be4adc35569368e23da7b344c4f9a4ce9efffaf1013d1fc778cb2b58f67f
GuLoader
c37ae1ed1bf166c96faa73db4544f415c2b81f0a42ccd5311e0aabc0b9e4f455
GuLoader
+ 118 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-k15ppwe3t2/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent state file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

rar 597c79976b22b84f2a65f94d21a6d72549381d220b75b5ff452e1f4c08c0616c

GuLoader

Executable exe efac718d57cdb1b9c1e08aadd1def7e1754a8466de7abc52912accec70c46a87

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/366248/
  
Dropped by
MD5 370bac0489118b24f9f268b596edc8c1
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 597c79976b22b84f2a65f94d21a6d72549381d220b75b5ff452e1f4c08c0616c

Comments