MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cfec3b96406b5c9cee457e736154fe09bd0ffa60ada717f89f9923ecfb4358cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cfec3b96406b5c9cee457e736154fe09bd0ffa60ada717f89f9923ecfb4358cb
SHA3-384 hash: 70d106d66bacd39d757c119ea6e115728d7f278e507b4aa02b0542d197a0414d3565acfdb1bc655f2bb91586f4d30042
SHA1 hash: 4f20c608d234d059b8d0ba17854cc2bcd4bbff5e
MD5 hash: 3eb84b10914958bc93921f5b7a7e9c77
humanhash: ink-indigo-sodium-twelve
File name:REMITTANCE.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:110'592 bytes
First seen:2020-05-26 07:35:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b7c55945a1c3d5a3cd55bd62f7ef5a8c (2 x GuLoader)
ssdeep 1536:HrbwXvvRGXR7IJprXMQCT4qTZHswpyCHImUicYJVjOE:HOnRGhEp5g4kHDyCHImUC
Threatray 1'110 similar samples on MalwareBazaar
TLSH FAB3E602BED4AC92EF452EB58FD49AB41D26BE651C915E03F05FBB4D26371D22FA0207
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: whoismail.net
Sending IP: 211.115.64.84
From: 리지드코리아 <info@ridgidkorea.com>
Reply-To: info@ridgidkorea.com
Subject: Outstanding payment
Attachment: REMITTANCE.Xxe (contains "REMITTANCE.exe")

GuLoader payload URL:
https://onedrive.live.com/download?cid=02E98840A4C9FD6C&resid=2E98840A4C9FD6C%211183&authkey=ANV33tRMzmI5CKo

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/5629/
Gathering data
Threat name:
Win32.Trojan.Vbkrypt
Create hunting rule
Status:
Malicious
First seen:
2020-05-25 09:36:00 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
23 of 31 (74.19%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
0e3d83f664a5147b54de0323cf7319099cf4e214a074ba76c3cdc566f475eee3
GuLoader
11da12022c4b4fdd9947dce6ccf0cde30cc34a1816f4a4791ce0f298133749ef
GuLoader
46387625361cd440a23520b7bda25f402b586d00a44229754ab776e5e1bf34f7
GuLoader
5f9b8ce62abc0d49b1bb253bd51286151a8b3d3f09fdb9e37cd964f80df26669
GuLoader
8077b9d3b809c1b66793e7292d7afdb401efa60fe9be607bb48a30bcf005af06
GuLoader
8926bb6b6590a5a180cc10a7cedfb5df1e5d12013aeb23224bf917013ccb25a2
GuLoader
a45d9c8d3f5ceb809b8ee497e806d29d6e379ae0603aea8b733096afcf86bdcc
GuLoader
aa3420190b3e22959cfb4715307027404fe5cb492faf5546189a20b82b9e4e37
GuLoader
b5e4950f8979f18ad063f3df3fb483aa88273271254201dbc0e5241b7713edc2
GuLoader
d335fad41e3f9b09effaf617e6c56554b667191c9c94f4b644a15b396408858b
GuLoader
+ 1'100 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-hz5tqdjb3s/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks QEMU agent state file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

rar bef0c6137985861808c8c570e80a26501d3c5ebcbb4656058c1c31b96255cb4f

GuLoader

Executable exe cfec3b96406b5c9cee457e736154fe09bd0ffa60ada717f89f9923ecfb4358cb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/368645/
  
Dropped by
MD5 219ed3903e9a7d439f240157fa05dca5
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 bef0c6137985861808c8c570e80a26501d3c5ebcbb4656058c1c31b96255cb4f
Cape
Cape
https://www.capesandbox.com/analysis/5629/

Comments