MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17ccd5b98d29f09cde5b49fee52602ac5e95c462c68f09c5f07d12d8a8cd8e0f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	17ccd5b98d29f09cde5b49fee52602ac5e95c462c68f09c5f07d12d8a8cd8e0f
SHA3-384 hash:	1878e6110638bf7f413067fabe1e9ae68f8cf0cccda8af2788f47cd5af42c2b933ba9ce0cb652bc9cee22befb9b91e7c
SHA1 hash:	995d75d57f35acfe83822255e6ed78333ea91ab5
MD5 hash:	cecb235889de580af2fba5a15bc845ed
humanhash:	magazine-hotel-uranus-oklahoma
File name:	DHL_AWB# 9284730931.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	94'208 bytes
First seen:	2020-06-02 11:20:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e86383f23a86f3debb7bb031776f3c8f (1 x GuLoader)
ssdeep	1536:xbFO8lLQbBty3EHXRBKkRluLzwKQw5sfvfKmONj:49thR3RlQzwPAj
Threatray	5'126 similar samples on MalwareBazaar
TLSH	8793F7136BD89501F1B24A706E7BC759AB25BC1A4D438A0F744D1A4FBB317629CAC32F
Reporter	abuse_ch
Tags:	DHL exe GuLoader

abuse_ch

Malspam distributing GuLoader:

HELO: server.gtrit.com.my
Sending IP: 103.18.246.122
From: DHL Express<eawb@iddhl.com>
Subject: EAWB Notification
Attachment: DHL_AWB 9284730931.rar (contains "DHL_AWB# 9284730931.exe")

GuLoader payload URL:
https://qif.ac.ke/flow_AoGPhiVz245.bin

Intelligence

File Origin

# of uploads :

1

# of downloads :

68

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/6097/

Detection(s):

Win.Dropper.Vebzenpak-7995212-0

Gathering data

Threat name:

Win32.Trojan.Vbkrypt

Status:

Malicious

First seen:

2020-06-02 09:44:54 UTC

AV detection:

26 of 48 (54.17%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=c7gnlomnfhyjzxs3jh7okjqcvrpjlrdcy2hqtrpqpujnrkgnryhq._file

Verdict:

malicious

Label(s):

guloader

Similar samples:

08b47c6d183afb72f383ced4639ba73a03d9b36f06617585b3a3d28b69d1ce9f

0afe73609922b94ffb25f673db3b621befab30c7f52cd586497b63f8154dbd6d

1e997f4144eb94f184308c7ebe6dbad709cf7151721c563e43a92d52539d4e1d

2a40a9e18303875b2db452783190820001c898e8374864fec29793bf43bbe401

65d993ca9f1fffaa634838468d8f9401f7f2812aa75065e9805447db5b667720

7e93dde14915a790ba530c8df9aafdca662a2372210036abeeee86b9b7cb5c4f

895e7e85e398a6bd3615a8453c1ed21979a2676fa84af0e53077635f812b64fc

b3ffcbb8279a9fd2b833c99170fd8cf01f9b5209617840dd8cc4411989d5e479

d1e9ede488849faab5eb3e767704a4644cc79e6eaac8fe996d90fa164e68f620

e09c2eb3f06cc722f1035d501755645c3feb569441f465ae3ba69aa4aba6ffa1

+ 5'116 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-anaffrxj5x/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar 62e30d1e45926daf1912ded4f0517b39d031aee3d5d66df55182f07c94000a18

exe 17ccd5b98d29f09cde5b49fee52602ac5e95c462c68f09c5f07d12d8a8cd8e0f

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/365459/

Dropped by

MD5 7ce2d2bdbd4b74d2e014b959bfb3f933

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/6097/

Dropped by

SHA256 62e30d1e45926daf1912ded4f0517b39d031aee3d5d66df55182f07c94000a18

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample