MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88c483809135c4c319f872712283c1817b5da969c071cf8f63c80bf3d79c4d49. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 88c483809135c4c319f872712283c1817b5da969c071cf8f63c80bf3d79c4d49
SHA3-384 hash: 3126ac5c390c3dd2b8d35f3651c4f0edcd02d41b7cde79f2cc424c9504508eb0ce89ee41d9a678af436f488ed01ed9dc
SHA1 hash: 1cf47f3ec9469c275928c4ff36f5cdcfe091903f
MD5 hash: 625e04c374462ac392aa3d57399c5a55
humanhash: vermont-alaska-blossom-burger
File name:Shipment Document BL,INV and packing list.jpg.ace
Download: download sample
Signature GuLoader
Create hunting rule
File size:68'325 bytes
First seen:2021-06-21 12:55:03 UTC
Last seen:2021-06-23 09:23:15 UTC
File type: ace
MIME type:application/octet-stream
ssdeep 1536:pvtF6biPRkMOkpGZ2qIgozMBJZ8PYlrJT0YN9Bw:pRkMOkeL0+JZVFJT/N9Bw
TLSH A563F232479EFC128EEB61344744797E7AD84F6522BCB52FA0EC55A3C73E0B04976590
Reporter cocaman
Tags:ace GuLoader


Avatar
cocaman
Malicious email (T1566.001)
From: "no-reply@server.com" (likely spoofed)
Received: "from server.com (unknown [109.237.103.46]) "
Date: "22 Jun 2021 23:16:28 -0700"
Subject: "Shipment Document BL,INV and packing list"
Attachment: "Shipment Document BL,INV and packing list.jpg.ace"

Intelligence

File Origin
# of uploads :
2
# of downloads :
203
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.25738.AceHeur.Exe.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.25166.AceHeur.Exe.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Suspicious-ACE-exe.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/88c483809135c4c319f872712283c1817b5da969c071cf8f63c80bf3d79c4d49/
Threat name:
Win32.Trojan.VBObfuse
Create hunting rule
Status:
Malicious
First seen:
2021-06-21 05:23:59 UTC
File Type:
Binary (Archive)
Extracted files:
17
AV detection:
12 of 29 (41.38%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rdcihaergxcmggpyojysfa6bqf5v3kljyby47d3dzaf7hv44jveq._file
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:lokibot downloader spyware stealer trojan
Link:
https://tria.ge/reports/210621-m19121qhtx/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks QEMU agent file
Guloader,Cloudeye
Lokibot
Malware Config
C2 Extraction:
https://onedrive.live.com/download?cid=6ADEF9A20EA2D392&resid=6ADEF9A20EA2D392%21106&authkey=AM90fu_ck0Db5Xo
http://63.141.228.141/32.php/Hgp9nhKIiDe7r
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/88c483809135c4c319f872712283c1817b5da969c071cf8f63c80bf3d79c4d49

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

ace 88c483809135c4c319f872712283c1817b5da969c071cf8f63c80bf3d79c4d49

(this sample)

GuLoader

Executable exe 7c72d2e12ed2db6353a373d16c07eaf27fbf110c75a2dc7535ec7d624cb42012

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 7c72d2e12ed2db6353a373d16c07eaf27fbf110c75a2dc7535ec7d624cb42012
  
Dropping
GuLoader

Comments