MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 27b805e1ceddb91ebec39349aa21ea5619c84e4c6ef3eb439b8156d66813e13e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	27b805e1ceddb91ebec39349aa21ea5619c84e4c6ef3eb439b8156d66813e13e
SHA3-384 hash:	405bb746aa84213f80fb51aa83e100ca143b5288ee8c3b216641eb1d42169c75bfb6d7a4348bdd3bf750cdbb80505ca2
SHA1 hash:	bcb6a48903d6f8eafe41c4ed68d2986201c96d44
MD5 hash:	8d41f4a492017be7c529a1630e3906f8
humanhash:	south-mockingbird-undress-emma
File name:	tilmelding.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	90'112 bytes
First seen:	2020-05-27 12:59:52 UTC
Last seen:	2020-05-27 14:13:17 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	279addefb215aaa0807101a0a71d3f71 (1 x GuLoader)
ssdeep	1536:3EFm50XncCCeAPEeJqc3xAo/XJ/FBmyA:UFm50XncCCek/3fMf
Threatray	5'118 similar samples on MalwareBazaar
TLSH	27931A1778744D60E9038572EC7399FD0A9B7C350C911F0FA9987F8E84B7282F9A5316
Reporter	abuse_ch
Tags:	exe geo GuLoader KOR

abuse_ch

Malspam distributing GuLoader:

HELO: mail-smail-vm44.hanmail.net
Sending IP: 203.133.180.232
From: 최현종 <sg-ab@hanmail.net>
Subject: 견적의뢰의 건 (REF NO.J190802-160) :JN1328: RFQ
Attachment: RFQ Equipment, Devices,Machines And Material Specifications-BID-180400940-S~.iso (contains "tilmelding.exe")

GuLoader payload URL:
http://ukaimc.webredirect.org/uploud/5bab0b1d864615bab0b1d864b3/bin_AVQtU222.bin

Intelligence

File Origin

# of uploads :

2

# of downloads :

77

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/5707/

Detection(s):

SecuriteInfo.com.Trojan.Siggen9.50069.4747.30093.UNOFFICIAL

Result

Threat name:

FormBook GuLoader

Detection:

malicious

Classification:

rans.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/363558

Behaviour

Behavior Graph:

n/a

Gathering data

Threat name:

Win32.Trojan.Injector

Status:

Malicious

First seen:

2020-05-27 01:01:26 UTC

File Type:

PE (Exe)

Extracted files:

6

AV detection:

24 of 31 (77.42%)

Threat level:

5/5

Verdict:

malicious

Label(s):

guloader

Similar samples:

03d585ea89f4e62bc18d42d1fadad0b02faca6d68c831e79fb542e9efd183f7a

4e0e1ee117544cc9cb6784d36db3d349624ef1c888267b1e266a03ddb17d33a1

5b8bcca6874eb87a0653adc3137d69a11c33c64a0087ad63646f39111ac2e62c

77168234eb706333e4835666a00a8fd8e110959660c97e5c5528ed3a3d0f5081

9d74a45140396715c309ac076839d0abf83ad6e55a4c8fa6cdf6e9cb4dec8cf6

9da0df6eb709cee7468a850c0b59914ca84eeace25bea74ed6d393e0e5e84737

a2165734c858d5f82b42fe0c4ab9d6ea2fd5e63221071f3829bd31e0f405f728

c2fad0ca69171eabf05cff3020af18e45b34558b660e5197bdb4c0c072c9cdde

e13acda03eb4829793beb5c0664d5752663b7ef5ae72b63724e7eaf189a9fec4

e6bdca558fb485e6ac7295d20f868902f2b790bc147fb3ab1e3a6628280d40f3

+ 5'108 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-r23215d7ta/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

iso c1cbbc6ed70231d5cf6c15d0aa97e8eda26eb88213833d8d19e56857ec8ba08f

exe 27b805e1ceddb91ebec39349aa21ea5619c84e4c6ef3eb439b8156d66813e13e

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/369895/

Dropped by

MD5 007248087eaa5f8dac332872a58994f9

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 c1cbbc6ed70231d5cf6c15d0aa97e8eda26eb88213833d8d19e56857ec8ba08f

Cape

Cape

https://www.capesandbox.com/analysis/5707/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample