MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 242e753a150db24e2f8a7787e97e26880806ec11f822eb388867b7703dd2de9f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 242e753a150db24e2f8a7787e97e26880806ec11f822eb388867b7703dd2de9f
SHA3-384 hash: 3bcb34d15a7e76486a8344130f097fca61fbd017375630965692d71ba823a57aa074364cf647f486996ef3da48074051
SHA1 hash: bffe2a3ab7b5ae55dc869784b602bb50bbe12f51
MD5 hash: 697ade1df9d97099efa52772726e73d5
humanhash: october-juliet-wyoming-massachusetts
File name:COJHJHHGHVCDKNJKJ.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:114'688 bytes
First seen:2020-05-11 15:37:22 UTC
Last seen:2020-05-11 17:09:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f2849ea3b18f409799743aa551737b20 (1 x GuLoader)
ssdeep 1536:hUwddn6zIlau8MvX/DJm0FijxOMr2rS78xSBAgljPOwcAdsDd9Rl79DdCI7Uz:Vddn6mau8WVvRPha
Threatray 94 similar samples on MalwareBazaar
TLSH 89B3F70522D4A117D6FE8DF2578272C9D2ADAD3E7405371B27C2338EE73A841A6D137A
Reporter abuse_ch
Tags:exe GuLoader Loki


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: p3plsmtpa09-02.prod.phx3.secureserver.net
Sending IP: 173.201.193.231
From: Cuentas <compras@pharmasi.com.mx>
Subject: Pago
Attachment: Pago.xls

Malspam distributing GuLoader->Loki

XLS->GuLoader->Loki

GuLoader payload URL:
https://nilemixitupd.biz.pl/SILVER/COJHJHHGHVCDKNJKJ.exe

Loki payload URL:
https://protestlabsmovings.es/trilp/build_QaDIysPvgb173.bin

Loki C2:
http://157.52.211.247/arinate/Panel/five/fre.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Fareit-FTA697ADE1DF9D9.9408.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-11 16:38:03 UTC
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=eqxhkoqvbwze4l4ko6d6s7rgraean3ar7arowoeim63xapos32pq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
1ec005c68dbb8eb8f7a0abeb13966f616e37d53b0c8de29401e14d3b01b21d43
GuLoader
3a7946bae415fc7d5add7b6a5ca391fbe19a1ed621ebd370a9491f0e5358e500
GuLoader
5ec674e9110c534ac08697894fe1f43668c408e3693970f89ae86e6e49c66843
GuLoader
61f5d152caf6b824cc52b2f674caaa87d14163fff7af6186f7a380a451d244ec
GuLoader
8247baad6838676fb803763c3995eb735d8535045c344349fb8cf90e9e22534d
GuLoader
8889140ce8f51cfc74f4e3f751eb8cb73791a95524f87d66c33b8ac2fc552bf3
GuLoader
92d33ffba60dd98d6e60e4487618f808da7bb78ba1a69904edb440a4ecbae4f6
GuLoader
aa7580b3b616549d1c2a826c3ab6b76dceb30ba03aed1705744c75404cc8a856
GuLoader
da84453f047b0c5e2a88e6ba46a11f390b4944f7c7f45563e19aef895c196e8e
GuLoader
ebd4be279ffeac609946977cd38d51331cad3238e36185828c183154f5e03f8f
GuLoader
+ 84 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-tjhnb2czr2/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks QEMU agent state file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Excel file xls ebd4be279ffeac609946977cd38d51331cad3238e36185828c183154f5e03f8f

GuLoader

Executable exe 242e753a150db24e2f8a7787e97e26880806ec11f822eb388867b7703dd2de9f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/361190/
  
URLhaus
https://urlhaus.abuse.ch/url/361216/
  
Dropping
Loki
  
Dropped by
MD5 58a8b51e7c69f75f563747eae7bc12fb
  
Dropped by
SHA256 ebd4be279ffeac609946977cd38d51331cad3238e36185828c183154f5e03f8f
  
Delivery method
Distributed via web download

Comments