MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d7bdf9a4d6651b7fd3d181799bc3fdd912b1ed4de9da3ced646b0149dbca007. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments 1

SHA256 hash:	1d7bdf9a4d6651b7fd3d181799bc3fdd912b1ed4de9da3ced646b0149dbca007
SHA3-384 hash:	5869e2fe8c400ea4e92a6510e4a572a133c6ff69296f105e98963f34e62030fd08925b25b158eb67afdc2c125a94bc2b
SHA1 hash:	03552cd02b5db9d93904c45e5e841c2500f608ed
MD5 hash:	4afb6333da50ef961f85c7909531f5b2
humanhash:	video-arizona-hot-potato
File name:	Quotation Request_20202605_20202605_20202605PDF.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	114'688 bytes
First seen:	2020-05-26 13:39:27 UTC
Last seen:	2020-05-26 15:24:29 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	108591967ed4bf8f740bf958c8455ee8 (1 x GuLoader)
ssdeep	1536:TFsVC8eQJdeLH0LY7rvwh3X9FgyERQv94:SVC8TJUDyKv+XcyECS
Threatray	1'545 similar samples on MalwareBazaar
TLSH	8BB3290730905CB2FC6C9BF06932C69D1D71EC147D450B673A8EFAAE29767CA16B130A
Reporter	abuse_ch
Tags:	exe GuLoader

abuse_ch

Malspam distributing GuLoader:

HELO: esperanzaeg.com
Sending IP: 96.44.147.58
From: Elizabeth Kelleher <Purchase.department89@gmail.com>
Subject: Quotation Request From Axia Global Services.
Attachment: Quotation Request_20202605_20202605_20202605PDF.z (contains "Quotation Request_20202605_20202605_20202605PDF.exe")

GuLoader payload URL:
http://www.pdslhk.com/file/binfle_zhQkq115.bin

Intelligence

File Origin

# of uploads :

2

# of downloads :

75

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Loki

Link:

https://www.capesandbox.com/analysis/4945/

Detection(s):

SecuriteInfo.com.Gen.NN.ZevbaCO.34122.hm0@aypbvflb.24770.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Injector

Status:

Malicious

First seen:

2020-05-26 14:35:53 UTC

AV detection:

26 of 48 (54.17%)

Threat level:

2/5

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

guloader

Similar samples:

4b610516f134b6efb2100a2e298a70b573be1cd6c4d653af007b907f11ff065e

5a30aa9032bf9eb86209f176404481e70fa108b689330a2544ce0b54fa959ab4

6ba2ab2afade3c48fb86ce5290a0980f19e901117033cb723cfd48b3ab2c6888

8b791216101006bea031bc4ff657001f95cd58ed1db4429a242d79050f947d40

983a50787533f7fb48c7aeccfe0cc8ea3b16a76a39b22a1668ef800ed56556f6

ae6a500ab45e86279c34a92c49d12f73716f0a492075180cdad48a761bf38b49

b666f8a605a45edebf5a3980675d00b84343a9b3c7a6d00fb90c37f40b55ac57

cebf765590be725ca5f5589e51a0e81236f6e63dae47f1cdff6029429827c0be

eec46d65be09a86f25c891d462671a7a0b3140ee4a8a6ac0a9fa7e1c56a8cb40

f6acfb0076b3a4e817b12f1f4e91eb89dbeeee1bca29d591949b73dfb604ef68

+ 1'535 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-9q4pfh246e/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

z d09fe18aaf2d6d6e5bab1c3720853219c2ec1ba24d170bbef2051c8263f8c00f

exe 1d7bdf9a4d6651b7fd3d181799bc3fdd912b1ed4de9da3ced646b0149dbca007

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/369178/

Dropped by

MD5 bab5e4d5df17b0219aa66075b429d80e

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 d09fe18aaf2d6d6e5bab1c3720853219c2ec1ba24d170bbef2051c8263f8c00f

Cape

Cape

https://www.capesandbox.com/analysis/4945/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

CAPE Sandbox commented on 2020-05-27 10:14:03 UTC

#Lokibot

https://capesandbox.com/analysis/4945/