MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f642d8b157f2edffe4bdf562b68625062021c6667b52f1b1d87489c4399464d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5f642d8b157f2edffe4bdf562b68625062021c6667b52f1b1d87489c4399464d
SHA3-384 hash: 8b601cebd6acd4a10c722a6a607f575b9cdb8c54ee11ce60372b271c536693915ae4f91e802b0edbcf800af6bba300ff
SHA1 hash: c637db6d695642937c12ae3f9b78d28b6fe80b2c
MD5 hash: 9c64ea15e4743bd4dd0acb98dcd69337
humanhash: apart-fourteen-yankee-november
File name:WTYHHGHVCDKNJKJ.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:81'920 bytes
First seen:2020-05-08 16:18:44 UTC
Last seen:2020-05-08 17:04:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 339cb70fb542d5df8c05dffe4112c185 (1 x GuLoader)
ssdeep 768:TDsm4Bixq93GlUDZXgTNV6yUN2wId6VsXeKpzI1XW5u+JUEI3HD0:TQmqF3zw5IyUN5Ik0M1X6VJU7z0
Threatray 792 similar samples on MalwareBazaar
TLSH 0983F6127EB8EC32D514BAB1CB6AF39FC726AE340871591770C4BA1A6F356069D3025F
Reporter abuse_ch
Tags:exe GuLoader Loki


Avatar
abuse_ch
GuLoader dropping Loki

GuLoader payload URL:
https://www.nilemixitupd.biz.pl/BRONZE/WTYHHGHVCDKNJKJ.exe

Loki payload URL:
http://protestlabsmovings.es/hukol/build_XzflZxgH12.bin

Loki C2:
http://157.52.211.247/bribate/Panel/five/fre.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.GenKryptik.EKEP.6955.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-08 16:25:41 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
19 of 31 (61.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=l5sc3cyvp4xn77sl35lcw2dckbraehdgm62s6gy5q5ejyq4zizgq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
0ec3c68f6fa845bcc40ea35365aa204f7e8bdf8010ea20dec2e3ea3f46838e02
GuLoader
2ed2a56967e7cb3e18b8b2cb910b9e6d356a52a9b65a05309c36ec62fa09773c
GuLoader
3667b7518f2634bfd589f12fe1fd6e7ec1701030529dd3ece0b04705e76e5e06
GuLoader
37a3468d527e22a4cdd0c1e8717a5bca60db2cd8aaace1a4d25b65eeccd8079c
GuLoader
40c27e805186cc26240cbf37d1d2809412c42e2a3610fdff32cf5b8ce35459e2
GuLoader
a570592bf5a21c1f55712fcec60a0536fedabe28b409d9a48fdc499185e154ff
GuLoader
bbb38a432f7eff2a12b72c3ed853e937fbf5d7b9bd23b9f8ab61beb6bd594c10
GuLoader
c688c6b0f5bd44c8d37e810000892ce8d0e2225f1dd04a92d454fd60c7cdc779
GuLoader
ccfc389f6dd3e6d9974b6cd4bb2a2efa5eb060f48e784aabd21a723cb58ff063
GuLoader
da52dddf3fb5de8859dd962bc96eeb267fc4e723682c3defec35672be1441e5e
GuLoader
+ 782 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-4t7lte62en/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks QEMU agent state file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Excel file xls 042359241a3a3f4d635527751c2268cc80121586dc68c9a6732edb20d25ce760

GuLoader

Executable exe 5f642d8b157f2edffe4bdf562b68625062021c6667b52f1b1d87489c4399464d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/360038/
  
Dropped by
MD5 ab7f3692e88e298ccb4a9d4355e1f04b
  
Dropped by
SHA256 042359241a3a3f4d635527751c2268cc80121586dc68c9a6732edb20d25ce760
  
Delivery method
Distributed via web download

Comments