MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 62009eba5623f35454d0d19824c688a0f1fb45dfa88516a3999680f984bdf1f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 62009eba5623f35454d0d19824c688a0f1fb45dfa88516a3999680f984bdf1f7
SHA3-384 hash: adc48a596d5de709f02f405367392f13a0daf1ab7920348cba1b564eb46f7b36672573baa67074349e92ebd464e1f6e9
SHA1 hash: 518c8f8760f2aed3cf886526b566643f7f868087
MD5 hash: b7470ec65fa4d7e61b9e77b9ce9f6c08
humanhash: mountain-april-arizona-floor
File name:Payment-slip.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:81'920 bytes
First seen:2020-04-30 06:31:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 53dabcbb93ff9692ea4afe32ea65f5fc (1 x GuLoader)
ssdeep 768:206M3OHStxqyXWW6UTmlGgpgXq0xUHRw+Mxo7cVbsaA3zyzLs:ROHStcdjXHi+cnAmc
Threatray 510 similar samples on MalwareBazaar
TLSH 53832B23B28DE0B6D156CF708B35CBB5216B7C740A21890339447B5F3A39D856D64BAB
Reporter abuse_ch
Tags:exe GuLoader Loki


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: vmas-mg5.fetnet.net
Sending IP: 61.20.35.131
From: Liu Ying | Hofmann Chemie GmbH <abc@yctt.com.tw>
Reply-To: <expedition1@hofmannchemie.de>
Subject: AW: SHIPMENT ADVICE/ PAYMENT
Attachment: Payment-slip.rar (contains "Payment-slip.exe")

GuLoader payload URL (Loki):
http://castmart.ga/~zadmin/xcloud/gold_TtBaWDj152.bin

Loki C2:
http://allenservice.ga/~zadmin/lmark/gld/link.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Dropper.LokiBot-7727533-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-04-29 13:37:51 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=miaj5oswepzvivgq2gmcjruiudy7wro7vccrni4zs2aptbf56h3q._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
14bd280177ece118d671795a8b372a0d7de0f3ad3b842ed35726d9b587cb1608
GuLoader
1b09e1ef7e44680e2fdd5909dbae73c46ad9d4d007f9ef077acfa102a613f908
GuLoader
2175bd94c8f6b7a75f4058bb9b981c2dee39a34a51afe018ebecfbffa490656c
GuLoader
63b3643da0804ac1ddc37ae59c80175a0c22d17ee37e7a0c5cfd3a4d20b7c926
GuLoader
b1bfc64b0b5890c39650f9ec6a12bb8b7c4b84654de8898d694f199f359b12a5
GuLoader
c6226058a19d31ee5070ae94db3e63dc19c15f8b15fc933c57fb4cec0e4ecd30
GuLoader
c62acb5894988284f4effb5bd8ece3701c9fe7854d865bb75f2eb447556d9c8f
GuLoader
c7552fe5ed044011aa09aebd5769b2b9f3df0faa8adaab42ef3bfff35f5190aa
GuLoader
d2f8a812a1b9539ac967ff0e0651d4ef6958227d11b0ef502417131c3b0ccce2
GuLoader
e78024e5a271686a09ed988baa347a537c0cf49abb6966f434f4d350d06d9115
GuLoader
+ 500 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

rar c4224a7ee0d8c31582bf52664ad0d19fd3d9bc18feb447b1c3205762441ad9c5

GuLoader

Executable exe 62009eba5623f35454d0d19824c688a0f1fb45dfa88516a3999680f984bdf1f7

(this sample)

  
Dropped by
MD5 d71e6c57e381236f9f9f7a303fddfd5b
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 c4224a7ee0d8c31582bf52664ad0d19fd3d9bc18feb447b1c3205762441ad9c5

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
VB_APILegacy Visual Basic API usedMSVBVM60.DLL::EVENT_SINK_AddRef

Comments