MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a30aa9032bf9eb86209f176404481e70fa108b689330a2544ce0b54fa959ab4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	5a30aa9032bf9eb86209f176404481e70fa108b689330a2544ce0b54fa959ab4
SHA3-384 hash:	7fe7ba79ed3de801c5153a1aa51c356d3ad9f6fb15051d15d4147902ce75cc3b066bdb68d5c5ef315b1a460edde1e5bc
SHA1 hash:	3036f6dab37140f8d938b768f84e03026bea48a7
MD5 hash:	55daff7a690376d54440a55b547f4378
humanhash:	xray-missouri-maryland-mountain
File name:	NEW ORDER #063310 NAZIR AND SONS CO_pdf.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	114'688 bytes
First seen:	2020-06-03 13:28:49 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9798baa410126c07b34f2fe530c1ebae (2 x GuLoader)
ssdeep	1536:VSPfxV40LqZd77+DkgrKHxLdGKc+o0FDHdZ1gIAugpxB1RidsvwUeP:QPXLM4bKVdhjFD9zFolsd3h
Threatray	1'521 similar samples on MalwareBazaar
TLSH	37B37C17ED0D8553D0188BBE2D178EB93B0DB91D09005FEF7575AEABAD322811CA721B
Reporter	abuse_ch
Tags:	exe GuLoader

abuse_ch

Malspam distributing GuLoader:

HELO: s1.smallhost.in
Sending IP: 103.46.239.70
From: Nazir & Sons Co. (Turkey) <rubab.s@nazirandsons.com>
Subject: NEW ORDER #063310 NAZIR AND SONS CO.
Attachment: NEW ORDER 063310 NAZIR AND SONS CO_pdf.arj (contains "NEW ORDER #063310 NAZIR AND SONS CO_pdf.exe")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=1_MYMmXePhIt1EdobIE3aMcZnY7VJ9y-J

Intelligence

File Origin

# of uploads :

1

# of downloads :

66

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Loki

Link:

https://www.capesandbox.com/analysis/6316/

Detection(s):

Win.Malware.Generic-7998112-0

Gathering data

Threat name:

Win32.Trojan.Vebzenpak

Status:

Malicious

First seen:

2020-06-03 13:37:35 UTC

AV detection:

29 of 47 (61.70%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=liykvebsx6plqyqj6f3eareb44h2ccfwrezqujkezyfvj6uvtk2a._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

guloader

Similar samples:

0f9f76e8ffa64b600745b99b8f7b51cfa151299424e6523995c6c0bcd7a5cd6b

136951ab2919602366049b534cc5159e1d6da7bc46a9131ce292dcefaf05c449

2c1642f94762a15404bbc286403d839f6ceba0659179aa227232af98d2b49d6d

9767731cae5b82c792fc165a9f024425866ca4fbde32b2dd4e9ac6fe12bc3548

a604cb5bd365ad6662b63b91c891d9af6c02a4fd89d29d6ad775d9401b31ac14

ad64a6eaa5d2494a4161158792e7cde3fb7d9a7bd36f06cc0de271192582f439

b16a20057b577660cec3a602bcfda96f40152aee86d0978babc68b7ca4391942

b584d8b69ef7c3f2689e4cecbec9932b84ca55e03c87b1aa9a9b9f56a1ba6c94

f96524898a01e5bad30e3d007cd96ba787a25419141210042df0bff2afab6a02

fa905ffdb00ec8867a003c49ebfa43f6ff96b890c40b3fe31b0fc40bb344ded0

+ 1'511 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-w7fqyp6j8x/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 5629ec1f97b4fed71d3572fd07f8e5ca6436788e3fa2683d50a8faac33a13adc

exe 5a30aa9032bf9eb86209f176404481e70fa108b689330a2544ce0b54fa959ab4

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/376185/

Dropped by

MD5 629b7afe0c9a66e10ebe73980a2c26ec

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 5629ec1f97b4fed71d3572fd07f8e5ca6436788e3fa2683d50a8faac33a13adc

Cape

Cape

https://www.capesandbox.com/analysis/6316/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample