MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d48bd7c50cc69b4f73766563fde6a1444b64a725acb7b988e75bdc54b945d383. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	d48bd7c50cc69b4f73766563fde6a1444b64a725acb7b988e75bdc54b945d383
SHA3-384 hash:	afc5f73dba3133be72612c2d22cefea751efb5e58840feeefa9648214d1da5153093aeb055c04a3b4cf4f29870c05dd3
SHA1 hash:	7841e7e881a27c3ce6234ae840283d5928fd809c
MD5 hash:	dc85e19bf0230041328c7ec3a5380181
humanhash:	georgia-yellow-may-neptune
File name:	SGN07752818.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	81'920 bytes
First seen:	2020-08-19 13:16:45 UTC
Last seen:	2020-08-19 13:45:45 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	c8149470224a75976a8a826a88225a14 (13 x GuLoader, 1 x FormBook, 1 x Loki)
ssdeep	768:uIqIx6d+3yx+TRML3pHjAn5WUfIwdB2DYh/yR0rEPU:cIo/ZHjq5WSxXVrEPU
Threatray	14 similar samples on MalwareBazaar
TLSH	58835E16F5D4A6F3F2588B740F685EF811EEAC342846CD4B28DC3E5D1A73A0489E9367
Reporter	abuse_ch
Tags:	exe GuLoader

abuse_ch

Malspam distributing GuLoader:

HELO: slot0.agcocorpe.com
Sending IP: 104.168.242.147
From: ppa. Thomas Rawe <info@agcocorpe.com>
Reply-To: ppa. Thomas Rawe <rjjha63@yahoo.com>
Subject: Quote price
Attachment: SGN07752818.IMG (contains "SGN07752818.exe")

GuLoader payload URL:
https://onedrive.live.com/download?cid=8E778D4A23C91A07&resid=8E778D4A23C91A07%21265&authkey=AJm25L6IGNXgCeY

Intelligence

File Origin

# of uploads :

# of downloads :

262

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/48556/

Detection(s):

SecuriteInfo.com.Variant.Midie.74532.26942.6772.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Threat name:

GuLoader

Detection:

malicious

Classification:

troj.evad

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/438153

Signature

Tries to detect virtualization through RDTSC time measurements

Yara detected GuLoader

Yara detected VB6 Downloader Generic

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d48bd7c50cc69b4f73766563fde6a1444b64a725acb7b988e75bdc54b945d383/

Threat name:

Win32.Infostealer.PonyStealer

Status:

Malicious

First seen:

2020-08-18 19:44:19 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=2sf5primy2nu643wmvr73zvbirfwjjzfvs33tchhlpofjokf2obq._file

Verdict:

malicious

Label(s):

guloader

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/200819-9fmhf18wbj/

Behaviour

Suspicious use of SetWindowsHookEx

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Farheyt

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/d48bd7c50cc69b4f73766563fde6a1444b64a725acb7b988e75bdc54b945d383

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

img 25caa923919deac15a948c6d1e0293d9b10931868c1e2dc2896907050290ad13

GuLoader

exe d48bd7c50cc69b4f73766563fde6a1444b64a725acb7b988e75bdc54b945d383

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/436059/

Dropped by

MD5 5da230b9eb8b84db238fd0db36b751c5

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/48556/

Dropped by

SHA256 25caa923919deac15a948c6d1e0293d9b10931868c1e2dc2896907050290ad13

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample