MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0494c6b3493335509d5fdce6d9592d796e592fee648f42dded58ddc29e3565a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0494c6b3493335509d5fdce6d9592d796e592fee648f42dded58ddc29e3565a1
SHA3-384 hash: 5dec8e9fe043c1a728b996c017cd8d3c3dff4e3e34961c6961643438f0bdb07c2a752ac37d3ac519590ed86451d0c0a3
SHA1 hash: 99ebfeac48ee676c0c09a7fba06f8b86331b6eb2
MD5 hash: e7e49886e05dc77c7578cae1707c3d65
humanhash: wyoming-connecticut-mango-sierra
File name:RFQ For Hyosung Vina Chemicals PP4 Project, VIETNAM_pdf.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:77'824 bytes
First seen:2020-06-08 12:05:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a8b2d2f78f58944fd3a14731bf06fcae (1 x GuLoader)
ssdeep 768:2YysfNpuRnnPilTjATM58z7ouxS+7h+DiMpTkRXQJtEWx4Be3KOpWFmJzXgro61W:2YysFY6TjM68HoWZMp0goKKLFm36l
Threatray 2'397 similar samples on MalwareBazaar
TLSH 5A73BF176814D6A2F04086B16DD38A4A26126E2C5C026ECFB65A5F9FFC317E25DF232D
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: mail.einihutintl.gq
Sending IP: 94.100.28.210
From: Mr. Kyoung-Ju, Lee <kar@hec.co.kr>
Subject: HEC [Hyosung Vina Chemicals PP4 Project, VIETNAM ] RFQ for DQRE-MR-MR-005 Vietnam DQRE-MR-MR-005 PRODUCTS AND EQUIPMENT
Attachment: RFQ For Hyosung Vina Chemicals PP4 Project, VIETNAM_pdf.gz (contains "RFQ For Hyosung Vina Chemicals PP4 Project, VIETNAM_pdf.exe")

GuLoader payload URL:
http://new.smbtrinidad.com/over_JmlNylz10.bin

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/6994/
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.52497.28165.9043.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2020-06-08 12:07:08 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=askmnm2jgm2vbhk73ttnswjnpfxfsl7omshufxpnldo4fhrvmwqq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
guloader
Create hunting rule
Similar samples:
168cd5b5e4d1dfec48777cdc97b74c7b33dca67d176f9add9bb94fa89905db38
GuLoader
625d65e2f28c0eb382f79567e2688de8188fa6606f6add912c74305c6f560718
GuLoader
63a5b27aaccab499d4e56d6606d9495484685be3f63817f9e90a61330bcffe38
GuLoader
89e54f19c04bb28c90f0ee75419a149c8178f9841435a20be727506d0c9506d3
GuLoader
a7b55b6bfafb6d370f94ff25e294f90d28818a1842ecad4546d18334c616cb97
GuLoader
b282b41544510e59a40e875239a18b038243be344b1439e19d821eb7622e9230
GuLoader
bf6d2e90c5fd6b327f1e513402eb01491ac8487b682243450ad684de5e6e62d4
GuLoader
dfe66d2e7938bed4e4452f82519a8b02d0ac89e74341a4abee8b2ec1c6a7ffb6
GuLoader
e0a55cba6885e046f0eb064179877af39b10f3d8cc74b8c697ea7c8cda6ab739
GuLoader
f888221496147b75d54210c499498b02780082a4e241575c7374adf58c38d902
GuLoader
+ 2'387 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-g82ke1cg2a/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_vobfus_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip d23608b336c00aa83a96d785c830d71d84cc42b296f9ca50852bf520c0fdf6bb

GuLoader

Executable exe 0494c6b3493335509d5fdce6d9592d796e592fee648f42dded58ddc29e3565a1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/383090/
  
Dropped by
MD5 03a36cb791eb16b73ee3e539ae881706
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/6994/
  
Dropped by
SHA256 d23608b336c00aa83a96d785c830d71d84cc42b296f9ca50852bf520c0fdf6bb

Comments