MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d213c80671d27596824def5ecb513b07e2118bd110e1230ed68aa4daab49bcc6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d213c80671d27596824def5ecb513b07e2118bd110e1230ed68aa4daab49bcc6
SHA3-384 hash: ec7e41d1d9c3eafa745b5f1fe1988ac105f3806f379fd9765241e428662363371b1750d327fb8c29fe4edc426efdcea6
SHA1 hash: 0c866e5f6be3e04197702bf0829ae5aa9a888ed4
MD5 hash: 2d10789c1bb51cbcdce6fcdc120d441e
humanhash: freddie-table-lake-robert
File name:WHP01-PMC1-101-P20608-0001.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:73'728 bytes
First seen:2020-06-09 05:45:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 65006e8a25896c52534478cd01e0568f (1 x GuLoader)
ssdeep 768:bgWu1aL3mNtlrHBOj8KcBPAisgoz6REviGaSqZTHi6J/apPYnuForcB5d3Fa/hsx:bNuRtSYPAG2v+fZriayFYuZdVa/+aI
Threatray 1'044 similar samples on MalwareBazaar
TLSH A5738E277904C153E1600BF05C939AA91B177C288981AE4F217F6F4FE4777D6ACEA239
Reporter abuse_ch
Tags:exe geo GuLoader VNM


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: viettelidc.com.vn
Sending IP: 103.1.208.206
From: Nguyễn Ngọc Diễm Quỳnh - EBVN [ngoc.nguyen@vn.eagleburgmann.com] <hanhhh@kmg.vn>
Subject: RE: Inquiry from EBVN - RFQ # 20608-0001 Ref. WHP03 Project Hanoi VN
Attachment: WHP03-PMC1-101-P20608-0001.rar (contains "WHP01-PMC1-101-P20608-0001.exe")

GuLoader payload URL:
http://ratamodu.ga/~zadmin/group/harl_cyMbNbo109.bin

Loki C2:
http://egamcorps.ga/~zadmin/lmark/harley/mode.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/7231/
Detection(s):
SecuriteInfo.com.Variant.Razy.682490.11173.25468.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Dynamer
Create hunting rule
Status:
Malicious
First seen:
2020-06-09 03:36:11 UTC
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2ij4qbtr2j2znasn55pmwuj3a7rbdc6rcdqsgdwwrksnvk2jxtda._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
080a382d362b7bc36365a369f6ff5755a38641e021fce3225eeda8e10e54964f
GuLoader
229d8d98a701a24e93b4e374092a5ce767fb859ffbc243cea9c1486b871dd4fb
GuLoader
620e100a8454a1fe2978e299f7b591c07589bf257bd2b1913c3b7ad601699e4b
GuLoader
631c795e9e20bfd8d33a2ecc2d8e1e22f925eb2aff8f052904bd779a66ccaada
GuLoader
888a2bd11840935e40bcea4cb2adfe57938ac8e0bc2e05c51b575167a469e667
GuLoader
93dc44981a771519cbdf592c8391ada5234cd2f6c19fc0bb4b3233867db9a345
GuLoader
ad3cc0c05d4a7f42dba42a7bc414b78d50e3279d4ac40cdeda7d893c50020231
GuLoader
d11f49cceb75957df9dde57b197a71b081579d2a63eaf294974e5d03dbb6a558
GuLoader
dfa8fa537be02efde6add76862693fb2f099e3339798cc1d05a2feff5409ab86
GuLoader
efecbafe7ddfe1306dac292dbd23be0caf62c5423a4c7a91086b0ca194a5e3ed
GuLoader
+ 1'034 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-8aw2wj4d1s/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

rar ca8fd71e72554eaf384e8047089c23f51126a541f6c50b0d572ab88579b0df02

GuLoader

Executable exe d213c80671d27596824def5ecb513b07e2118bd110e1230ed68aa4daab49bcc6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/374155/
  
Dropped by
MD5 1a5dfa63d076b85ce447278c040bdc11
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/7231/
  
Dropped by
SHA256 ca8fd71e72554eaf384e8047089c23f51126a541f6c50b0d572ab88579b0df02

Comments