MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8fd3b343c562779916904e59713ac5366eb442b6a6d6e7008a357c5780e135b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8fd3b343c562779916904e59713ac5366eb442b6a6d6e7008a357c5780e135b7
SHA3-384 hash: 1c7111fed2d0cea6fbf5e30641f5f9f83a953310d779242908530f2e40eb935bac7267a82c9e6ad9d832a895192dc7f2
SHA1 hash: 35afa600115784fc464826a04371271414f1e53e
MD5 hash: ddea11d7836e777765e1d7bd9fbcc46c
humanhash: uncle-cold-river-lemon
File name:Attachment.iso
Download: download sample
Signature GuLoader
Create hunting rule
File size:1'638'400 bytes
First seen:2020-05-04 22:15:10 UTC
Last seen:2020-05-05 05:44:52 UTC
File type: iso
MIME type:application/x-iso9660-image
ssdeep 24576:OgTfvH5kDYtfLWyfhcEwyzd6TIk5ZtXs:OgTffS1sOc6TI
TLSH 56757D22A253DA33D12355389D7B56B8E836BE136B7858472AF52C3C1FF93403837296
Reporter abuse_ch
Tags:Azure DHL GuLoader iso nVpn RAT


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: sunn1.southcentralus.cloudapp.azure.com
Sending IP: 13.66.51.68
From: Dhl Customer Support <Support@dhl.com>
Subject: Order Delivery Failed
Attachment: Attachment.iso (contains "Document.exe")

GuLoader pushing RemcosRAT from drive.google.com

RemcosRAT C2s:
rex2018.hopto.org:2404
rex2018.myddns.me:2404
rex2020.myddns.me:2404
myb50.myddns.me:2404
johnhoff2.hopto.org:2404
jbcbeads.myddns.rocks:2404 (79.134.225.107)

Pointing to nVpn:

% Information related to '79.134.225.64 - 79.134.225.127'

% Abuse contact for '79.134.225.64 - 79.134.225.127' is 'abuse@your-vpn.network'

inetnum: 79.134.225.64 - 79.134.225.127
netname: YOUR_VPN_NETWORK
country: DE
remarks: ****************************************************
remarks: This subnet belongs to a VPN service provider.
remarks: We protect the right to privacy, which means
remarks: we don't log the activities of our users.
remarks: ****************************************************
admin-c: EH4074-RIPE
tech-c: YVN10-RIPE
status: ASSIGNED PA
abuse-c: YVN10-RIPE
org: ORG-YVN1-RIPE
mnt-by: AF15-MNT
created: 2019-07-19T18:26:38Z
last-modified: 2019-07-19T18:51:28Z
source: RIPE

Intelligence

File Origin
# of uploads :
2
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Variant.Zusy.302747.15832.15474.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2020-05-05 02:09:23 UTC
File Type:
Binary (Archive)
Extracted files:
88
AV detection:
15 of 31 (48.39%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=r7j3gq6fmj3zsfuqjzmxcowfgzxliqvwu3looaekgv6fpahbgw3q._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

iso 8fd3b343c562779916904e59713ac5366eb442b6a6d6e7008a357c5780e135b7

(this sample)

GuLoader

Executable exe 36e4352b2e4961e1ca1dd47baadf462af3e97fd0ebfb0c5694a5c6e22322c1c1

  
Dropping
MD5 9eb7cad434dbfb7bb3e7e184df138c15
  
Dropping
GuLoader
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 36e4352b2e4961e1ca1dd47baadf462af3e97fd0ebfb0c5694a5c6e22322c1c1

Comments