MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f1db1a968cf8e4ca4b88cf2836637c16e44c604a2a10058b23f684fc3bc4339. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3f1db1a968cf8e4ca4b88cf2836637c16e44c604a2a10058b23f684fc3bc4339
SHA3-384 hash: 771c5b11958169021d0a044399d7410e179f1d1b9df43a6d761b53b18be0558823fad78fe8e20991522f0784e9bcacc8
SHA1 hash: 812d3dc7ac6af915aa00e20e2f3051896c1fb535
MD5 hash: e29b5c235402bd848d5d189db905292e
humanhash: hotel-kilo-princess-pip
File name:DHL_Details.exe.iso
Download: download sample
Signature GuLoader
Create hunting rule
File size:1'572'864 bytes
First seen:2020-05-01 10:16:18 UTC
Last seen:Never
File type: iso
MIME type:application/x-iso9660-image
ssdeep 12288:4i2KmIpZ7l+/yO3VhZjgMU4eB7hqcXd3d7ecxBOPY4Jvjg3FVLg904yp4lFV:4FGl0ycAF1d39eqBOPYovEZ4y+v
TLSH 7275AF62B2C04877D0731E78DD1B93689837BD612A2468C677F53D4C9F393A13A3A297
Reporter abuse_ch
Tags:DHL GuLoader iso RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: beast-iceberg
Sending IP: 103.230.158.53
From: DHL Customer Service <customer@dhl.com>
Subject: Dear Customer
Attachment: DHL_Details.exe.iso (contains "DHL_Details.exe")

GuLoader pushing RemcosRAT via drive.google.com

RemcosRAT C2:
u863495.awsmppl.com:2404 (185.140.53.106)

Pointing to nvpn:

% Information related to '185.140.53.0 - 185.140.53.255'

% Abuse contact for '185.140.53.0 - 185.140.53.255' is 'abuse@FOS-VPN.org'

inetnum: 185.140.53.0 - 185.140.53.255
netname: Freedom_Of_Speech_VPN
remarks: Before you contact us, please read:
remarks: 185.140.53.0/24 belongs to a NON-LOGGING VPN service.
remarks: We don't log any user activities.
remarks: We believe that the right to informational self-determination and the
remarks: right to privacy are essential to all citizens of all countries.
remarks: We don't host anything else on our servers than VPN software and our
remarks: customers can open a fixed number of Ports.
remarks: Like Public WiFi or Tor Exit Node Operators we cannot be held responsible
remarks: for the actions of our customers, because we simply can't (and to be
remarks: honest: don't want) to control them.
country: EU
org: ORG-SL751-RIPE
admin-c: SL12644-RIPE
tech-c: SL12644-RIPE
status: ASSIGNED PA
mnt-by: FOS-VPN-MNT
created: 2016-10-17T23:24:00Z
last-modified: 2020-04-06T18:59:49Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Dropper.Remcos-7735852-0
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-01 21:31:37 UTC
File Type:
Binary (Archive)
AV detection:
17 of 30 (56.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h4o3dkliz6hezjfyrtzigzrxyfxejrqeukqqawfsh5ue7q54im4q._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

iso 3f1db1a968cf8e4ca4b88cf2836637c16e44c604a2a10058b23f684fc3bc4339

(this sample)

GuLoader

Executable exe 49c1e306362700be6143f3dc9592a72ca5d9dc3d7237d9f8e4f14b5c14ea2155

  
Dropping
MD5 a994c282121739bf0b82afd98cc594a4
  
Dropping
GuLoader
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 49c1e306362700be6143f3dc9592a72ca5d9dc3d7237d9f8e4f14b5c14ea2155

Comments