MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 93dc44981a771519cbdf592c8391ada5234cd2f6c19fc0bb4b3233867db9a345. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 93dc44981a771519cbdf592c8391ada5234cd2f6c19fc0bb4b3233867db9a345
SHA3-384 hash: d7631a5671cc510368820899bfcb1322f3ff6052042412e64093d5a44e5b2da339c414371da6f4071f1be65f996af807
SHA1 hash: f500f15a50f313a68a748259c6da05aaba370f0d
MD5 hash: 8d5887e0dabef1bb229f337a97b354ec
humanhash: west-lithium-jupiter-video
File name:HDDT003306092020.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:73'728 bytes
First seen:2020-06-09 05:34:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 221b1d5dedf9d4a2808025d48eebf5fa (1 x GuLoader)
ssdeep 1536:bouRtSMqeXWiGYVw4ZriaBuXJmxAnzhjmNRc:ZfxWiGYirXJmKnFIRc
Threatray 887 similar samples on MalwareBazaar
TLSH 73738E036E04C153F1108A705CA38F792B1B7C285A829E4B659DBF4FE475B926DEA23D
Reporter abuse_ch
Tags:exe GuLoader Loki


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: bre.r1host.com
Sending IP: 136.243.102.137
From: b.sakhipour@bre-line.com
Subject: Pesanan pembelian HDDT/003306092020 dan HDET/003306092020
Attachment: Megasurya_Purchase Order.rar (contains "HDDT003306092020.exe")

GuLoader payload URL:
http://ratamodu.ga/~zadmin/group/frega_SEyLI167.bin

Loki C2:
http://egamcorps.ga/~zadmin/lmark/frega/mode.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/7229/
Gathering data
Threat name:
Win32.Infostealer.PonyStealer
Create hunting rule
Status:
Malicious
First seen:
2020-06-09 04:25:59 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=spoejga2o4krts67lewihennuuruzuxwygp4bo2lgizym7nzuncq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
17f52dbf63e20cb471e6da579551830186446d814a14162ec3569c62fb6f0771
GuLoader
34c9285a6b094968258fffe94cb3339c1715cbc6b8db1d309f7075eb0afda2d0
GuLoader
54d3e50350cb0e6e43cae0d762829aeab02a389142d24d5c8d71c413e1d77842
GuLoader
6715e87f7070a2d7b5b2c71e98a7bade689a504aed3b95654af3494248a501d4
GuLoader
7dc9d4200ada4d75e50d7c4ed86eef952334e4bb69da0464122682e7aff8d971
GuLoader
7e45056c46daf65e7826480c454e3237df4d5f5d740828df5b5181cfde5eade0
GuLoader
ac4035cfb9c8a93c294fe1911bd4cd94ce403d8cdc301fa4bf113144b40d1245
GuLoader
ad3cc0c05d4a7f42dba42a7bc414b78d50e3279d4ac40cdeda7d893c50020231
GuLoader
d213c80671d27596824def5ecb513b07e2118bd110e1230ed68aa4daab49bcc6
GuLoader
efecbafe7ddfe1306dac292dbd23be0caf62c5423a4c7a91086b0ca194a5e3ed
GuLoader
+ 877 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-nlgdqy4dw6/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

rar f3eaa2810b812676c198a5fb1329a81ab5cbeb8d6314247dbaa18efeec1d007e

GuLoader

Executable exe 93dc44981a771519cbdf592c8391ada5234cd2f6c19fc0bb4b3233867db9a345

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/374161/
  
Dropped by
MD5 5f0870730b3259c4b67f82bb86024da7
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 f3eaa2810b812676c198a5fb1329a81ab5cbeb8d6314247dbaa18efeec1d007e
Cape
Cape
https://www.capesandbox.com/analysis/7229/

Comments