MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c10808947a65d455863b0449c74a6cc2112fd8fd60dab90c0f51edddfad4cb3e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c10808947a65d455863b0449c74a6cc2112fd8fd60dab90c0f51edddfad4cb3e
SHA3-384 hash: d544ae87b1753d675b80af31eb4350086823272b1d9d96eeb300331d3d2d66b63facc6e5abaea5e42c38b038100d5a97
SHA1 hash: da219f0f297defa9d74cf3a9b59a044445b17a67
MD5 hash: dfe6c1affd6d78876e4cf01c7bea6e05
humanhash: snake-stairway-berlin-quebec
File name:MEJMKQY.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:266'240 bytes
First seen:2020-05-01 13:44:15 UTC
Last seen:2020-05-01 15:55:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2f9e7f3dc2eec7766dde39d81049ff0f (1 x GuLoader)
ssdeep 3072:fJ3VEBBfda0oSwFowYXKowf2JJKNu2vn:B3VEBB1GSls/2JJk
Threatray 264 similar samples on MalwareBazaar
TLSH C0443DCD98165671CA8167788F1EF87032252CBD1810454EB3F7BE537BBA45BB0BB292
Reporter abuse_ch
Tags:GuLoader Loki


Avatar
abuse_ch
GuLoader dropping Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

SecuriteInfo.com.Variant.Symmi.38603.21903.13397.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-01 19:53:00 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
25 of 30 (83.33%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yeearfd2mxkflbr3are4ostmyiis7wh5mdnlsdapkhw536wuzm7a._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
1e22fffb30866578e2bae67b3a138e194853123914d5fa82440f6a2058bfdb3e
GuLoader
2ace558d202e365fac33752bc28b1c60b07e90904c9f0f4492d13d67f3277530
GuLoader
39931e1fb3b7e82ef1669505f39e9598c1620b8740ab59971bc6aeae0cd6082b
GuLoader
4b9d879ea6b4ca40c087b7cbd0474590bbca1f1dc788cb7689a96bbf0a044d4b
GuLoader
54f42da8259c446dcaa20a678a382301b319b3936c9d42fe50300d28f6c5939a
GuLoader
83e97420dbe39c6e29e2ae3dad80f21afe93d1b6ea88962a89762cd64772db41
GuLoader
9d168ed314be4a7dff1ef992f27e493e1f5f070d0c74a6268b1dc78630ade9cd
GuLoader
dfe54696ad7c10bc44e524a6d292f94a951bd29aa1f4dbee29b6ae56eaf9fa51
GuLoader
fbae0ff635e7b7cb7646fded915f70803f4c564348b77bf2c6d9809c4353e9a6
GuLoader
ff74fb3d8b1bc85e76697ddd73113a500d0c735e3b0b97fa67dd7720e40a5017
GuLoader
+ 254 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Word file doc 54f42da8259c446dcaa20a678a382301b319b3936c9d42fe50300d28f6c5939a

GuLoader

Executable exe c10808947a65d455863b0449c74a6cc2112fd8fd60dab90c0f51edddfad4cb3e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/355515/
  
URLhaus
https://urlhaus.abuse.ch/url/355504/
  
Dropped by
MD5 3ca459375646fa36b18b24e3d4121ef0
  
Dropped by
SHA256 54f42da8259c446dcaa20a678a382301b319b3936c9d42fe50300d28f6c5939a
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
VB_APILegacy Visual Basic API usedMSVBVM60.DLL::__vbaObjSetAddref
MSVBVM60.DLL::EVENT_SINK_AddRef
MSVBVM60.DLL::__vbaLateMemCallLd

Comments