MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d025b24f7179db8dcc6dda416f90220e9559dde564a5b24c0dc7a02fc823c97c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d025b24f7179db8dcc6dda416f90220e9559dde564a5b24c0dc7a02fc823c97c
SHA3-384 hash: 45aafeb6789605906f13d1b6fa706d09861a83fd9b8a328abc3d1426f25b390017c49d51861f7b0bb3472dc235d66e67
SHA1 hash: cb85e2f61770b5416d58c08241c49c38f0b9ea54
MD5 hash: 78224bebdf8d79c078a95c9a7912d60b
humanhash: green-utah-snake-bulldog
File name:Fingerhut Quote.doc
Download: download sample
Signature GuLoader
Create hunting rule
File size:111'072 bytes
First seen:2020-05-06 11:09:42 UTC
Last seen:Never
File type:Word file doc
MIME type:application/vnd.openxmlformats-officedocument.wordprocessingml.document
ssdeep 3072:kjtA0HoUNnZFeHru5Y6+C4lvrKKUfC7q7Q7X9gv13kw3I:KPpn7YTdCmofC7q7Q7XCv1/4
Threatray 80 similar samples on MalwareBazaar
TLSH B0B37A139C4CDF92D05887F47E130EACBB0B2B1D9A8A35EE14265ECF7E682521DD914E
Reporter abuse_ch
Tags:doc GuLoader Loki


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: server.healthsupplementsdirect.co.uk
Sending IP: 66.45.253.19
From: Miriam Fingerhut <miriam@nutrivity.co.uk>
Subject: Fingerhut Quote
Attachment: Fingerhut Quote.doc

GuLoader pushing Loki from drive.google.com

GuLoader payload URL:
http://portal.nfbpc.org/dispositio.exe

Loki C2:
http://31.220.2.200/~putinnot/School/project/fre.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Script.Agent.AFC.26322.26615.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Document-Word.Trojan.Powdow
Create hunting rule
Status:
Malicious
First seen:
2020-05-06 05:07:30 UTC
File Type:
Document
Extracted files:
23
AV detection:
16 of 48 (33.33%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2as3et3rphny3tdn3jaw7ebcb2kvtxpfmss3etany6qc7sbdzf6a._file
Verdict:
malicious
Similar samples:
1cd2e3b696656354859e0ffdb5bca866fadf42f59c9e2da1c228e0b52fa5f368
GuLoader
552f8a15f83c9c40034cbada93c326a24b8677d7413e8395bfd7f3a6461d33b3
GuLoader
83e97420dbe39c6e29e2ae3dad80f21afe93d1b6ea88962a89762cd64772db41
GuLoader
aff13266e5803a58effdba6e01d44dd6b083db453a0dbf2528f5e729d33918fe
GuLoader
b022be4adc35569368e23da7b344c4f9a4ce9efffaf1013d1fc778cb2b58f67f
GuLoader
c0a66966676974f8b853ba487eb3e06e8952ccb0f9d6930bf2d1c67293ee21f1
GuLoader
d8e693957ed5178a7f00b1c5705dae298b7e04da07d5c154a6580c031369d6ab
GuLoader
eb69f1b5d596096808339dd39376f1685bf94376491a8df091c9a788d0dc1ef9
GuLoader
f17c37c6d5e56b96e7d603d1eafcb885b8c229cd1a6ec1d669b1dadcce59bdef
GuLoader
f85b3852381cfbabd654be01a21ffbb798a0feaa3f360fff66f27d499c174898
GuLoader
+ 70 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-tjx9kezg2s/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
Enumerates system info in registry
Office loads VBA resources, possible macro or embedded object present
Drops file in Windows directory
Blacklisted process makes network request
Process spawned unexpected child process
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SharedStrings
Create hunting rule
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples
Rule name:win_alina_pos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_gootkit_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Word file doc d025b24f7179db8dcc6dda416f90220e9559dde564a5b24c0dc7a02fc823c97c

(this sample)

GuLoader

Executable exe f17c37c6d5e56b96e7d603d1eafcb885b8c229cd1a6ec1d669b1dadcce59bdef

  
URLhaus
https://urlhaus.abuse.ch/url/358774/
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 f17c37c6d5e56b96e7d603d1eafcb885b8c229cd1a6ec1d669b1dadcce59bdef
  
Dropping
MD5 b5374654ec2ffef8c046cafeee2adb22

Comments