MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79f98a45cdf0776c1ae83a4b027ded395fe8dfc4b520f51706fc7207b1e4c630. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 79f98a45cdf0776c1ae83a4b027ded395fe8dfc4b520f51706fc7207b1e4c630
SHA3-384 hash: 172ec769ddd8fd2b26b40fdab5c3fc7519da7c7d5a71a0810a8430436025fb1fadf896400229ff75d3b2e73bf4d4d119
SHA1 hash: 907c618ff3c2dc8bfba72acf057b4feb1378e353
MD5 hash: 8797e981438dce682e3ebd74e5562861
humanhash: jersey-cola-tennessee-connecticut
File name:KOMMU.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:77'824 bytes
First seen:2020-06-08 09:33:07 UTC
Last seen:2020-06-08 11:12:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7d3cd064a4a98102690418c1d93e969e (1 x GuLoader)
ssdeep 768:a9ysfNpuRnnPilTjATMe9hS4BIvIIA6YUpTkRXQJtEWx4Be3KO0NozTgB8nwbl:a9ysFY6TjMbLTOYUp0goKKvL
Threatray 976 similar samples on MalwareBazaar
TLSH 5773AE036C04C591F040C2B17E935B9A222A6F289D466E977A5E5FBFEC706C25DF123E
Reporter abuse_ch
Tags:CHN exe geo GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: EUR04-HE1-obe.outbound.protection.outlook.com
Sending IP: 40.92.73.57
From: kassem agha <kasem_agha@hotmail.com>
Subject: 重新重新重新附加新订单19PG03083
Attachment: file.rar (contains "KOMMU.exe")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=1kpBuILdSIcw7QazEq8GvjbkN1kJGVxOw

Intelligence

File Origin
# of uploads :
2
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/6975/
Detection(s):
SecuriteInfo.com.Variant.Razy.681950.1833.10594.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Spyware.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-06-08 09:35:04 UTC
AV detection:
25 of 31 (80.65%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ph4yuron6b3wygxihjfqe7pnhfp6rx6ewuqpkfyg7rzapmpeyyya._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
213ccc660b77060313c9842e1d2d0215b5909235d54140daa21f0110c50e4715
GuLoader
414bb1af4fbb618c4889d69144c7f66591c6e5294d0ab3b7ea8b774946977cf2
GuLoader
5013dc9e2ddbe9ddd90af638466379f876b70ebe504d62e72ed166480a4d4f83
GuLoader
701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e
GuLoader
7ed29b5971fdfce885116395debc7289bf0e27966e6c72e41f0e6902b30c6575
GuLoader
a8c452946e291216b7bba41b8e7f9a3eb5ee9178c9559e4b5017ed832d90b94f
GuLoader
e39fd52523f742331dc20ee90a051e456561481ef4c360a40ffaac292cb6c37b
GuLoader
e3f6a7a2d6628adf2956c3c1f387c2bd178b48e170a71368ae3e7f8c20b8e213
GuLoader
e43fb62c12fcf1be9f9982e81a59350a8f9dd2389198c0b332cef832a63aac0f
GuLoader
e93b9a00886b7a569dc09337361d246c4ac74d3a061579ea4ad33b9ad19f7bde
GuLoader
+ 966 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-gzqz71qlw6/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

rar 04a76de2d7fd019566d283a0881fab2b8d7412f8a6f7a247b1b90a8e7f26e285

GuLoader

Executable exe 79f98a45cdf0776c1ae83a4b027ded395fe8dfc4b520f51706fc7207b1e4c630

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/383079/
  
Dropped by
MD5 17932919fabb857e398d3eaecd628df1
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 04a76de2d7fd019566d283a0881fab2b8d7412f8a6f7a247b1b90a8e7f26e285
Cape
Cape
https://www.capesandbox.com/analysis/6975/

Comments