MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d4b6b5a3f228456841a6627f6b4fe4de260e1261e312b30b62120d5297e68c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8d4b6b5a3f228456841a6627f6b4fe4de260e1261e312b30b62120d5297e68c1
SHA3-384 hash: 1d3fcbb92f42dbdc000cb20f39e7a27c975b516eb7779cbbcb5ab392d666fddd60f33382f9bcf34acd51d1e83b345456
SHA1 hash: 50c91f9d0ae13ce7d201d909c59eaf278081ae97
MD5 hash: 21985f4388a169e646cc5a639d971bd7
humanhash: east-cup-kilo-nineteen
File name:Payment W0301 - TC -[ref00D208TF]_pdf.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:81'920 bytes
First seen:2020-06-08 12:12:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 907c347b3bf3e931014a9faed830c76f (2 x GuLoader)
ssdeep 768:Vu1aL3mNtlrHBOjv8I68BFlGjZTHi6JzrH41ZuoL6/eBuiCI7UOfTrU4r:VuRtSYRZriaPwsDeBuivoO/U
Threatray 930 similar samples on MalwareBazaar
TLSH 0683AE073698D512E14A0770ACB3DEB63A66BD2899816F4F2044BE5FE431B527CA732D
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: genopem.tk
Sending IP: 135.181.24.152
From: international payment <iban@crdbank.com> <admin@genopem.tk>
Subject: Fwd: SWIFT Payment W0301 - TC -[ref:00D208TF]
Attachment: Payment W0301 - TC -ref00D208TF_pdf.gz (contains "Payment W0301 - TC -[ref00D208TF]_pdf.exe")

GuLoader payload URL:
https://onedrive.live.com/download?cid=F5533CD060D35070&resid=F5533CD060D35070%21174&authkey=AIBDrJtaga1JUxw

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/7014/
Detection(s):
SecuriteInfo.com.CLASSIC.658.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2020-06-08 12:14:06 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rvfwwwr7ekcfnba2myt7nnh6jxrgbyjgdyyswmfweeqnkkl6ndaq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
01cbd7ffa69b802c48571c9643d525c525493463b592a79336ee6757e9d54aa2
GuLoader
15187de4f29194c60f3f199549c345592e967ee8ecf9a39b0a40c1796fdb222c
GuLoader
5f9b8ce62abc0d49b1bb253bd51286151a8b3d3f09fdb9e37cd964f80df26669
GuLoader
61b5d789c9983fb294e4e91fdcd1487c896fbc12a0a605215a48f589b6fb4937
GuLoader
7f7f93ae7c3ce6bd7d154c2e2188bd39c7d511df8fc890e46085afc34acdba2b
GuLoader
89e54f19c04bb28c90f0ee75419a149c8178f9841435a20be727506d0c9506d3
GuLoader
8dfca70c89e2310b9f8af5cff4ace9dc09676db2e19950afb205518c581f9627
GuLoader
a570592bf5a21c1f55712fcec60a0536fedabe28b409d9a48fdc499185e154ff
GuLoader
cf6542bb87d706ab7d6fd3f7fa0a2594d3b0ed8a9d15b481252d0c405ecd36ef
GuLoader
d894062069e0d2967a0ca5655892f29e511d37dd5de5f5dc02e7ed54f2e4fe45
GuLoader
+ 920 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-6ypgwf8nzj/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

gz ca5dac5e1d522b12fbb09f0e57a38367a0aadfd24933284ffb35011115370228

GuLoader

Executable exe 8d4b6b5a3f228456841a6627f6b4fe4de260e1261e312b30b62120d5297e68c1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/383140/
  
Dropped by
MD5 77b291d24850a22f8915b34233a1826d
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 ca5dac5e1d522b12fbb09f0e57a38367a0aadfd24933284ffb35011115370228
Cape
Cape
https://www.capesandbox.com/analysis/7014/

Comments