MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8797d399b8d6448ae58dfb5c4c5d21aac717fab0b4629cd78748a8239ba87cd9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	8797d399b8d6448ae58dfb5c4c5d21aac717fab0b4629cd78748a8239ba87cd9
SHA3-384 hash:	8f83f88e79dfe08e2f17a6de19ccc3623c3948941bcf2e6a77a06a2af467e9e118a52ce6820152844183f0c7e44a7885
SHA1 hash:	029805c0b16b3ec071ba21b22be18cd4517d37ef
MD5 hash:	4863bd58de063e3f5b5af3244da75063
humanhash:	wyoming-golf-april-spring
File name:	INVOICE DRAFT COPY_scan0091627_IMG.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	110'592 bytes
First seen:	2020-06-03 13:32:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	1cc5e4409f9ce2ba12b08f9a89c6a2f8 (8 x GuLoader)
ssdeep	1536:OSPfxV40Icu19nYpqvzNkgrKHxLdGKc+o0FDHdZ1gIcDk0s+r8lb+K4h66:nPXIpvnYwKVdhjFD9zhKVh6
Threatray	1'280 similar samples on MalwareBazaar
TLSH	3BB37B07FD4C8613D1144BBC2E179EB93A1DAC0E0D405BEFB4795E9BAE312522CAB10E
Reporter	abuse_ch
Tags:	exe GuLoader

abuse_ch

Malspam distributing GuLoader:

HELO: mail2527.himayadar.org
Sending IP: 188.138.125.244
From: Nylene Criste <info@mail2525.himayadar.org>
Subject: INVOICE DRAFT COPY
Attachment: INVOICE DRAFT COPY_scan00282733387_img.img (contains "INVOICE DRAFT COPY_scan0091627_IMG.exe")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=19oX2TzERMvZbM2LlNdcjGcqtWS_xpipk

Intelligence

File Origin

# of uploads :

1

# of downloads :

68

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/6334/

Detection(s):

Win.Dropper.NetWire-7996875-0

Win.Malware.Razy-7997182-0

Gathering data

Threat name:

Win32.Trojan.Wacatac

Status:

Malicious

First seen:

2020-06-03 13:49:00 UTC

AV detection:

17 of 31 (54.84%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=q6l5hgny2zcivzmn7noeyxjbvldrp6vqwrrjzv4hjcuchg5iptmq._file

Verdict:

malicious

Label(s):

guloader

Similar samples:

1acd132956421229e7c8fabb1001381956ff135d042b339f2871763498896d9e

3e3529db8cde73fcdb792f6414ebe6fb9a6ec5ba5cf5f503376a795387b2020e

77b78883671d865b91db205f68f7e5e69c9ad68687f8696f390a9b4b1449090c

7d110a4f6f206b5fb49742150bdbd7ffc43b29a5b2fa32424ef32aa20c4696f8

897c29c75ae58e4057c0d32c3704469a7ecfa4878f5d0c60ad8abe2fa821b0b0

ad8132d2a341bf731c105eed4dea2357f5ab516c085550294593a2e41f34ebc4

bc7549c1281f3ce45abcaad7408522374c97421e9031998b7959bd5e59b27a93

e93ea58602fabb383b5624b79dd683dceaff52b89f0765dc66be19d938348718

f0904d56b0d621156adf1d4449d1b445e6d45eec9c0a4b09e22f9bb95a185955

f9389b3ae99666514bbe467217ebd46597e6d2e919f105697a152afe1da73e18

+ 1'270 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-latlpwt42n/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

img 749c6935f0db10685ba380c7cd5e6d62447e3bece08cd511af97c73ebec45c85

exe 8797d399b8d6448ae58dfb5c4c5d21aac717fab0b4629cd78748a8239ba87cd9

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/376028/

Dropped by

MD5 8994a5b58be5def47b809e3c37cd62b6

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 749c6935f0db10685ba380c7cd5e6d62447e3bece08cd511af97c73ebec45c85

Cape

Cape

https://www.capesandbox.com/analysis/6334/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample