MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 042359241a3a3f4d635527751c2268cc80121586dc68c9a6732edb20d25ce760. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 042359241a3a3f4d635527751c2268cc80121586dc68c9a6732edb20d25ce760
SHA3-384 hash: 5bf930d3b60bc19c5d3606c1676b24355277fe35e52bbfbe51eeef0b5432a9a4bf371e36164f80d8ae6e5035d7308c2d
SHA1 hash: 2bd349c684a2d54602424d91f968467fd029616f
MD5 hash: ab7f3692e88e298ccb4a9d4355e1f04b
humanhash: arizona-zebra-ten-pip
File name:Pago.xls
Download: download sample
Signature GuLoader
Create hunting rule
File size:72'704 bytes
First seen:2020-05-08 16:18:02 UTC
Last seen:2020-05-08 17:04:24 UTC
File type:Excel file xls
MIME type:application/vnd.ms-excel
ssdeep 1536:tCxEtjPOtioVjDGUU1qfDlaGGx+cL2QnA/xMt2bk3ysqyPUcAf/s7:tCxEtjPOtioVjDGUU1qfDlaGGx+cL2QP
Threatray 866 similar samples on MalwareBazaar
TLSH 09630691B685D8C6D95807354CEBC6E63B27FC106E6687CB3284F32F2E7668089C3657
Reporter abuse_ch
Tags:GuLoader xls


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: p3plsmtpa09-09.prod.phx3.secureserver.net
Sending IP: 173.201.193.238
From: Cuentas <gerenciadivisioncuartos@hoteldelprado.com.mx>
Subject: Pago
Attachment: Pago.xls

GuLoader dropping Loki

GuLoader payload URL:
https://www.nilemixitupd.biz.pl/BRONZE/WTYHHGHVCDKNJKJ.exe

Loki payload URL:
http://protestlabsmovings.es/hukol/build_XzflZxgH12.bin

Loki C2:
http://157.52.211.247/bribate/Panel/five/fre.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.W97M.Downloader.4000.21893.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Document-Word.Trojan.Sload
Create hunting rule
Status:
Malicious
First seen:
2020-05-08 16:35:20 UTC
File Type:
Document
Extracted files:
24
AV detection:
16 of 31 (51.61%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=aqrvsja2hi7u2y2ve52ryitizsabefmg3rumtjttf3nsbus445qa._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
1224967aa7aa8b416aae37b76dc075255948fcf66a6986a880dd00f0ca17737e
GuLoader
1240a7ff417004b8b3b98ce0d7adc1f959178e730590b45b2cba92c473fc0b89
GuLoader
14885a4bfd76cdb49db108d03ce3a8c88c301c786eed577606aaacc49d673bfa
GuLoader
4e49f8ed15a69e1147ae9428c9e5b4d4aa928769f261627abc059d2060e94a6b
GuLoader
4e7757f18ae0c6aeac44ed49de53657e81d46474c75c431b291e3e5712b94045
GuLoader
54a1f9c8f39feac2378a5e2221e95dc41167cd80d541f448e0ec3e347f183029
GuLoader
6617979630def30c8a103baceedd1ddb972a53b984de91682aa93451faf833bb
GuLoader
726156ccca0ba0077df20db0e438db482c7197d69453b890332ed69a9e509352
GuLoader
7848e6e1c38a88fffa92f4ef02ecbf2ac332f2c12a42b04f6d0ac186ad815c21
GuLoader
d9073504ba97540b65006d851251f330bcfb130500daad9a7f8616cb5a6a9ba0
GuLoader
+ 856 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-v1l9ecrqnn/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Checks processor information in registry
Suspicious use of FindShellTrayWindow
Office loads VBA resources, possible macro or embedded object present
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SharedStrings
Create hunting rule
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples
Rule name:win_alina_pos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_gootkit_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Excel file xls 042359241a3a3f4d635527751c2268cc80121586dc68c9a6732edb20d25ce760

(this sample)

GuLoader

Executable exe 5f642d8b157f2edffe4bdf562b68625062021c6667b52f1b1d87489c4399464d

  
URLhaus
https://urlhaus.abuse.ch/url/360038/
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 5f642d8b157f2edffe4bdf562b68625062021c6667b52f1b1d87489c4399464d
  
Dropping
MD5 9c64ea15e4743bd4dd0acb98dcd69337

Comments