MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4bed372d49cbb980146b1900cf0e641d7e5e9a72a25afbeea28ff996cb93da5a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	4bed372d49cbb980146b1900cf0e641d7e5e9a72a25afbeea28ff996cb93da5a
SHA3-384 hash:	b328bd2670e5a38348d02417bfc277915bf1c24ec7f7a76562a9aa92a44b3343ef18c304125bc998b6bcb9ac9691302f
SHA1 hash:	d307ed6f773f4998259111c98d6af9d6f4833bd1
MD5 hash:	8a3c722ff3b20e1138da11dbfaee89c0
humanhash:	april-thirteen-charlie-nevada
File name:	quotation.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	77'824 bytes
First seen:	2020-06-08 12:14:06 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	033b8b0b9fc3d062c1b7fb3adc96588c (2 x GuLoader)
ssdeep	768:EoSysfNpuRnnPilTjATMM0NevgEcaIcoiupTkRXQJtEWx4Be3KOA9Yz3gAYhhPuL:EoSysFY6TjMl09oAp0goKKDM0g/x
Threatray	1'223 similar samples on MalwareBazaar
TLSH	3673A013AC00C581F0E186B1ED938E9967762D29AD435E47364A3FAFBC317C65EE122D
Reporter	abuse_ch
Tags:	exe GuLoader

abuse_ch

Malspam distributing GuLoader:

HELO: dd42314.kasserver.com
Sending IP: 85.13.157.240
From: balasus@aachtal-apotheke.de
Subject: Re: quotation/INV655
Attachment: quotation.zip (contains "quotation.exe")

GuLoader payload URL:
http://156.96.118.179/AWELE-RAW_GTWfCx233.bin

Intelligence

File Origin

# of uploads :

1

# of downloads :

86

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Azorult

Link:

https://www.capesandbox.com/analysis/7021/

Detection(s):

SecuriteInfo.com.Variant.Razy.681950.29215.25167.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Vebzenpak

Status:

Malicious

First seen:

2020-06-08 12:16:05 UTC

AV detection:

26 of 28 (92.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jpwtolkjzo4yafdldeam6dtedv7f5gtsujnpx3vcr74zns4t3jna._file

Verdict:

malicious

Label(s):

azorult

guloader

Similar samples:

05a1356768e4475daeebaae76e486705d2d920e7e4d511c1436ea3f9a650c1df

15145ed8e5ae3cf2acf9ad25bbcb3f782c4d8ba9674185d06baa66ae6d17f25a

2c80f61e5c61bb87be9e2d60e69093bcb5082fc690fcd751be787dbd118d5e57

44b9088e8bd1c22c10d5ea77951a3dda0884a8564187a8f98a4472120f374c91

5ccb57aee84a40da7ec9dbd4f06beca1f636964c4124db36666ecccc3ea7b389

68f66dd88b1a69a8ff2e63cca5e4554e1b147ccd2474d356b60a749c21412fd4

6b4c217c0bdb4660db2d83a8deb9e538e801e8c275e5e1fe955497970daf24c0

7d02ae5ae3ed3b7a13ff5495174216ea3195764d7154b8e9b4997c74fd08fb09

b8565239fc984ae11a613ad6a80eebcf3e006125c8e6240583a0365669c32397

e9bcebb30731ce1c7ecca26eb2d6a717caf06824fd834775e571d4f684f9d279

+ 1'213 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-81n8cfxmxs/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 28ea39f7708fc87b567a4fb75fbfe5198b8dca4116e405c074e26dcfd2d69f21

exe 4bed372d49cbb980146b1900cf0e641d7e5e9a72a25afbeea28ff996cb93da5a

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/369174/

Dropped by

MD5 31cdb69a08426824b1678058ec5b46fd

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 28ea39f7708fc87b567a4fb75fbfe5198b8dca4116e405c074e26dcfd2d69f21

Cape

Cape

https://www.capesandbox.com/analysis/7021/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample