MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad57fdea21b1f9e56e500568a6dba42e239fbed6bbc3e825ccf0342e6f1a9064. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	ad57fdea21b1f9e56e500568a6dba42e239fbed6bbc3e825ccf0342e6f1a9064
SHA3-384 hash:	9d4340e0990e62ac13ec399e5b7a7e7919b2fa411b45ae03508d485449164981d9b586f9c676a0bb9fa84a73499b696f
SHA1 hash:	398a056b6ee6fc19d544d9fa6701204a369cf027
MD5 hash:	1d1bbdcbe710a2f42e18456aea0fbe70
humanhash:	idaho-one-idaho-oregon
File name:	BL AND SHIPPING DOCUMENTS.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	90'112 bytes
First seen:	2020-06-06 08:41:30 UTC
Last seen:	2020-06-06 09:40:55 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	baab5ba39bc27354a58d9b5383257ee1 (1 x GuLoader)
ssdeep	1536:JDrdLtwa8mHVpIJwDwvTnJqGZG3UyT+vFht2Xb:VrdhOmVpPEkENIXb
Threatray	5'102 similar samples on MalwareBazaar
TLSH	8A937D136D48E865D0895EF06C6299972B163C082A015F7F25C4FFAEF9316E2789B70F
Reporter	abuse_ch
Tags:	exe GuLoader

abuse_ch

Malspam distributing GuLoader:

HELO: wsuche.com
Sending IP: 81.169.140.45
From: Doc <document@jabsinternational.com>
Reply-To: rnnfibi@outlook.com
Subject: PRE SHIPMENT ADVICE
Attachment: BL DRAFT AND SHIPPING DOCUMENTS.img (contains "BL AND SHIPPING DOCUMENTS.exe")

GuLoader payload URL:
http://180.214.239.54/nbin_aKNXfFIB29.bin

Intelligence

File Origin

# of uploads :

2

# of downloads :

85

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/6849/

Detection(s):

SecuriteInfo.com.Variant.Ursu.893124.25587.8462.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Vebzenpak

Status:

Malicious

First seen:

2020-06-06 08:43:05 UTC

AV detection:

24 of 31 (77.42%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=vvl732rbwh46k3sqavuknw5efyrz7pwwxpb6qjom6a2c43y2sbsa._file

Verdict:

malicious

Label(s):

guloader

Similar samples:

0638b1723d45eb9fbbf4db0428aeb59b08da4082779c361ae881445ef35bb6d4

0abe72d915f50b2a21fc3cafc52152db81bef2a16be4ccde68e64942bf927af1

28ebdc57f4de0a5f04d5ac0c8f17996d257df911de9900c3e6db1f1e213383b7

7095eec286427d0c168ef01a9d20e741032194cd9e4fb607c02a55c0a1df29c5

8cd14212205658092f91a376a85fb70802200671ea0cbc74b73f1fcaf0f88ddb

92574e92ed7461639393ef09258609b637fc5e68341c5fe13e460f2dff705d0d

97d8ae62cb751e857b04d9eaa68ee2acce3d7243009bdb04639a729cdfc7cbf3

b5ee70ba14a2bcb9936bd64d99ce7b51785ba328b16a0be49d47c10cba17980c

d7083f1007834bbc16f0b6d2ee0e1e2b9e79a04af2a2e21f2d2682c9dff939eb

e273d82c782a01c388cc619e6832bfb43301f4308884751b9393262302fc84c0

+ 5'092 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-wy9yl4g4ne/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

img 85c55bf4f31e32da19c7f7fbecd535ca0275323e5cb7b4896ada14dabbcc53b6

exe ad57fdea21b1f9e56e500568a6dba42e239fbed6bbc3e825ccf0342e6f1a9064

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/382438/

Dropped by

MD5 35dd47d4e6408b8f2407e7563e772e45

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/6849/

Dropped by

SHA256 85c55bf4f31e32da19c7f7fbecd535ca0275323e5cb7b4896ada14dabbcc53b6

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample