MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 78f2c94c64775acc935a40cf63103e04ed2ace67a20e8eb533f4a3c2f40d2fe9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 78f2c94c64775acc935a40cf63103e04ed2ace67a20e8eb533f4a3c2f40d2fe9
SHA3-384 hash: 0f82b7afee62a185cdac807025a2b836e40c1c0555a45ef9a52f3cfde83168a78083c771f02eee9edcb113f1cfa805f3
SHA1 hash: cb8d07879b6c34839c8a473599b7801e13458773
MD5 hash: 75adea927ed8d5eedb84e8771edd7acd
humanhash: mike-avocado-wolfram-network
File name:BANK_COP.EXE
Download: download sample
Signature GuLoader
Create hunting rule
File size:66'776 bytes
First seen:2020-04-30 11:19:36 UTC
Last seen:2020-05-11 07:06:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 17d07931403e3faa31647e7dff7bb969 (1 x GuLoader)
ssdeep 768:yOGN0vnK8vYvSSyYNbVy9J8RRVgr+ceWdK/q0tGQ471ozhQ5oyb+DSPGoumDGpYZ:yZ+K8fIbVywjgr+0dpbQ47kQSybso5
Threatray 451 similar samples on MalwareBazaar
TLSH B6638D9BB18AF213D6465830687393952D23EDA98AD94423FDB0F3684DF3B5024F6F19
Reporter abuse_ch
Tags:exe GuLoader

Code Signing Certificate

Organisation:Dummy
Issuer:Dummy
Algorithm:sha256WithRSAEncryption
Valid from:Jan 1 07:00:00 2013 GMT
Valid to:Jan 2 07:00:00 2013 GMT
Serial number: 7E89B9DF006BD1AA4C48D865039634CA
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 46EF45463A9E9A92A203BB0FB866206D659EC986B32832D907C7D7DAD62C69CC
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: raysen.com.cn
Sending IP: 216.244.74.66
From: sales@raysen.com.cn
Subject: Re:Orders With Image Specifications
Attachment: Order Image spec.img (contains "BANK_COP.EXE")

Intelligence

File Origin
# of uploads :
2
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Heur.PonyStealer.em2@o4hFwYfi.388.2931.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-03-16 02:57:00 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pdzmstdeo5nmze22idhwgeb6atwsvtthuihi5njt6sr4f5anf7uq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
10481c8ab9d363251e4d1aab4805df6d245621a5f10302fe5ed8cdd9f20bdc14
GuLoader
15c1e154f12ddc60ff879745b0d6356a725bf030a52007841fcb9ac0ebd0a73c
GuLoader
17ccd5b98d29f09cde5b49fee52602ac5e95c462c68f09c5f07d12d8a8cd8e0f
GuLoader
688ac9fd686d48bc6fec56f27e814c48d7849f548ef14d763dd446b61140c388
GuLoader
7299eda04e6f4f186eb5ef32a0bb702fb0a342fcf022b4f83b07116e18c7ecf9
GuLoader
8255284fa792c767fd2464364f12f297fa92a38383d2303d7cf9dcb8b74bdfa5
GuLoader
b04cf62e1182fdae7ca1805ccc467ccd6d9a0db1a3a7419a9d6a2b5e41419d06
GuLoader
b189f4b81e32c2be2c252d6f6ba160bf8566aa74be9642af4af5e3b424be54ca
GuLoader
d9ea7ed19010ef0c36ebd05d5abfd5624e21a33ad5e18ca36007671d86eba8b3
GuLoader
f842179b4979090b6435dcc7ae0ffb46d42899fd4a1926c11fadd7e39ca5f505
GuLoader
+ 441 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

img c28def748a1e39be324dbf33e07e303356db9aaf42636be254abaeff225ff6ae

GuLoader

Executable exe 78f2c94c64775acc935a40cf63103e04ed2ace67a20e8eb533f4a3c2f40d2fe9

(this sample)

  
Dropped by
MD5 c69942c45b854496022c3154cae7d0ab
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 c28def748a1e39be324dbf33e07e303356db9aaf42636be254abaeff225ff6ae

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
VB_APILegacy Visual Basic API usedMSVBVM60.DLL::EVENT_SINK_AddRef

Comments