MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 168cd5b5e4d1dfec48777cdc97b74c7b33dca67d176f9add9bb94fa89905db38. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	168cd5b5e4d1dfec48777cdc97b74c7b33dca67d176f9add9bb94fa89905db38
SHA3-384 hash:	ffaadae908c96fc870280ea67e953434e28c9b1317b52cb604664f6292c026af179d4b0217b9023c0c9b3cc5f08a0906
SHA1 hash:	2fdf972b6adc2e4a9afb603fa71110772cf8132d
MD5 hash:	525831379a0e9c744bee35201da35eb1
humanhash:	yankee-mexico-asparagus-robert
File name:	RFQ-OM-3994 - Closing Date 15.06.2020 - MEPF-PO-2020-060.scr
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	77'824 bytes
First seen:	2020-06-02 11:15:44 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	6d734ddbd71f7be25513ac08aaf8ee31 (1 x GuLoader)
ssdeep	768:SEUvhc7416N8lBR2zI9+X/bixpaB8lVs6pJk2aoUvtStN2QsIl:AvFO8lL79+jiaB0qoUvtS2
Threatray	2'513 similar samples on MalwareBazaar
TLSH	4D735A136E088E12C5B041B15C77C7BE3F55BD0C9A822A4F388E6E67BB367616C5E21D
Reporter	abuse_ch
Tags:	GuLoader scr

abuse_ch

Malspam distributing GuLoader:

HELO: medpex.com
Sending IP: 210.244.73.74
From: Elizabeth Kelleher <purchase.department89@gmail.com>
Subject: Purchase Inquiry - DYNAMIC SOURCING
Attachment: RFQ-OM-3994 - Closing Date 15.06.2020 - MEPF-PO-2020-060.z (contains "RFQ-OM-3994 - Closing Date 15.06.2020 - MEPF-PO-2020-060.scr")

GuLoader payload URL:
http://www.stylam.cc/file/binfle_brHFWEl85.bin

Intelligence

File Origin

# of uploads :

1

# of downloads :

71

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Loki

Link:

https://www.capesandbox.com/analysis/6073/

Gathering data

Threat name:

Win32.Trojan.Vigorf

Status:

Malicious

First seen:

2020-06-03 01:02:24 UTC

AV detection:

15 of 31 (48.39%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=c2gnlnpe2hp6ysdxptojpn2mpmz5zjt5c5xzvxm3xfh2rgif3m4a._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

guloader

Similar samples:

0494c6b3493335509d5fdce6d9592d796e592fee648f42dded58ddc29e3565a1

23eb70abd818d93364ae2f896425d05fd38788c54429f874fabade1671b267b6

625d65e2f28c0eb382f79567e2688de8188fa6606f6add912c74305c6f560718

63a5b27aaccab499d4e56d6606d9495484685be3f63817f9e90a61330bcffe38

a7b55b6bfafb6d370f94ff25e294f90d28818a1842ecad4546d18334c616cb97

b282b41544510e59a40e875239a18b038243be344b1439e19d821eb7622e9230

bf6d2e90c5fd6b327f1e513402eb01491ac8487b682243450ad684de5e6e62d4

dfe66d2e7938bed4e4452f82519a8b02d0ac89e74341a4abee8b2ec1c6a7ffb6

e0a55cba6885e046f0eb064179877af39b10f3d8cc74b8c697ea7c8cda6ab739

f888221496147b75d54210c499498b02780082a4e241575c7374adf58c38d902

+ 2'503 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-dxhrgxyrn6/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

z 887e0a23b04f89437cf964d5847af1980cd2dfb8211faa41e6f266a6f4cc1507

exe 168cd5b5e4d1dfec48777cdc97b74c7b33dca67d176f9add9bb94fa89905db38

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/374405/

Dropped by

MD5 8c8656f9e2a39452329c453d1492d31c

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/6073/

Dropped by

SHA256 887e0a23b04f89437cf964d5847af1980cd2dfb8211faa41e6f266a6f4cc1507

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample