MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2cf01afb98a61b2af1b0458770d83d230d1c9ab3bfcb9f2b6a504395403b5165. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2cf01afb98a61b2af1b0458770d83d230d1c9ab3bfcb9f2b6a504395403b5165
SHA3-384 hash: f129bfeb1eb73860119333301921e23fa38235a532fb0354a55c978564d8caf40ef22db6e3acf57c8901c7ced6fb3416
SHA1 hash: 194497deff9cc7481fc1f477c88db1831b897031
MD5 hash: 994d3e2726c115e3d53b9a28b2d407c5
humanhash: delta-double-wisconsin-oklahoma
File name:marranoIMG2748891033.com
Download: download sample
Signature GuLoader
Create hunting rule
File size:69'632 bytes
First seen:2020-06-10 11:40:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7f174a726307bad94f3cbcf69e72ed03 (8 x GuLoader)
ssdeep 1536:QR7OJExfZIzbEZtNAQPjueGApmfTmYREG+5LIi3/V:8xftZtjjuimfCP5LIi3/V
Threatray 848 similar samples on MalwareBazaar
TLSH 6B636C26BAD0BD71C77567F62EB0D25801B7B93605D1860376103B2F263B84AFAB6707
Reporter abuse_ch
Tags:com GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

From: Jeff Milan <jeff@hsmecorp.com>
Subject: RE: Request for Quotation -OFFER-1084 -Equipment
Attachment: New_Attached_Document_IMG2748891033.img (contains "marranoIMG2748891033.com")

GuLoader payload URL:
http_{vp=f!]L\l#

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/7526/
Gathering data
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2020-06-10 11:42:05 UTC
AV detection:
24 of 31 (77.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ftybv64yuynsv4nqiwdxbwb5emgrzgvtx7fz6k3kkbbzkqb3kfsq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
0494c6b3493335509d5fdce6d9592d796e592fee648f42dded58ddc29e3565a1
GuLoader
1b476c8bd4604f9eb16f852bd2a7770520789b8740195c32b30f68dcfc9e91e9
GuLoader
304068e131e7bf969d30f3d5d4cf1dff0f17342b5817a6b37a89b3e4e0d79495
GuLoader
7e8e1de7b35bbdd1e9a7aedaa1e3e73602e778768052474e7e56140baaf85e37
GuLoader
846481e2b8fa290c2cb12b0c8803305435c9833c4c791f3d4d989db6f51838c5
GuLoader
b8565239fc984ae11a613ad6a80eebcf3e006125c8e6240583a0365669c32397
GuLoader
c42ae355f2541ec7be30e51b1fcb50a1c7d8b0d6afa717dab533369cb5a69011
GuLoader
dfe66d2e7938bed4e4452f82519a8b02d0ac89e74341a4abee8b2ec1c6a7ffb6
GuLoader
ea4512d4bec0674059c55c5861d977bab515b6d28a543c74f32e1d78126625a4
GuLoader
fc83deb95f3429cec6679ff8d3ebdcc3ef8cf4944bf0b83dd4d84e5f664b000b
GuLoader
+ 838 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-fat7dkxtz6/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_vobfus_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

img c7815bbbe8941bf630f4fd7ba94b5fd2726860f0fb319bf32d2df7c3af3cceb9

GuLoader

Executable exe 2cf01afb98a61b2af1b0458770d83d230d1c9ab3bfcb9f2b6a504395403b5165

(this sample)

  
Dropped by
MD5 7b58941ff47476d015051418bf812c64
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 c7815bbbe8941bf630f4fd7ba94b5fd2726860f0fb319bf32d2df7c3af3cceb9
Cape
Cape
https://www.capesandbox.com/analysis/7526/

Comments