MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cffb28f48a39b040f06f0563eaaac0a99f06accf37cc5da95383805c17c583c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	cffb28f48a39b040f06f0563eaaac0a99f06accf37cc5da95383805c17c583c3
SHA3-384 hash:	7107f27efb22b2bc92f0e6c872fb6304b7b57e9306b9350750ec3c542b35c4e957e84d26c0ec6e88e22373fc1c5728fb
SHA1 hash:	60edc6c26cb5187518cd7485c1a85d471eafcec1
MD5 hash:	2b4fd76e5fdc57076d7f2be51614eff0
humanhash:	papa-spaghetti-william-north
File name:	gerberia.com
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	69'632 bytes
First seen:	2020-06-10 12:36:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7f174a726307bad94f3cbcf69e72ed03 (8 x GuLoader)
ssdeep	1536:6J7OSlpf6kAtZPlw11mgazYivb+Pj82lZ1krXjIWAq6jIfMr:slpPAtZUmgNW+PnwjjAPjI0r
Threatray	2'542 similar samples on MalwareBazaar
TLSH	30634B16B6E1BD71D63556F62EB0D39850A7AC3304C1880375543F2F6A3F946F6A231B
Reporter	abuse_ch
Tags:	com GuLoader

abuse_ch

Malspam distributing GuLoader:

HELO: etudteknik.com
Sending IP: 45.11.19.137
From: Ella Collins <Info@etudteknik.com>
Subject: RE: Request for Quotation - New Client Contact
Attachment: OFFER.img (contains "gerberia.com")

GuLoader payload URL:
http

Intelligence

File Origin

# of uploads :

1

# of downloads :

144

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Loki

Link:

https://www.capesandbox.com/analysis/7547/

Detection(s):

SecuriteInfo.com.Gen.NN.ZevbaF.34128.em0@aSsetelG.7534.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Vebzenpak

Status:

Malicious

First seen:

2020-06-10 12:38:05 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=z75sr5ekhgyeb4dpavr6vkwavgpqnlgpg7gf3kktqoafyf6fqpbq._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

guloader

Similar samples:

0494c6b3493335509d5fdce6d9592d796e592fee648f42dded58ddc29e3565a1

168cd5b5e4d1dfec48777cdc97b74c7b33dca67d176f9add9bb94fa89905db38

625d65e2f28c0eb382f79567e2688de8188fa6606f6add912c74305c6f560718

63a5b27aaccab499d4e56d6606d9495484685be3f63817f9e90a61330bcffe38

8bbc2e9322af7c28162adfaa66055af70695b2da16b822be4b8b4deb67da405c

b282b41544510e59a40e875239a18b038243be344b1439e19d821eb7622e9230

c2a89ad45cb8155c18ddea788ecbc9ba9643ecd4e93e9711a736af4a52091632

e0a55cba6885e046f0eb064179877af39b10f3d8cc74b8c697ea7c8cda6ab739

f78f5eeea8bfec17ed985d71b265dd5be1bb90f781004a6a473e2e116abe144e

f888221496147b75d54210c499498b02780082a4e241575c7374adf58c38d902

+ 2'532 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-s2fswfb77a/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

img 5aa809de0391e256d77dbfe802f9bf61bd2e9ea588e24ab1119ce931e74e2038

exe cffb28f48a39b040f06f0563eaaac0a99f06accf37cc5da95383805c17c583c3

(this sample)

Dropped by

MD5 5c0d0203fa05fc4753c38e10c3403437

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 5aa809de0391e256d77dbfe802f9bf61bd2e9ea588e24ab1119ce931e74e2038

Cape

Cape

https://www.capesandbox.com/analysis/7547/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample