MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d7e91c4ae1a0b9f6bd1c2ae422b2d9488949110017b9d06001e6bcd386905c8e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	d7e91c4ae1a0b9f6bd1c2ae422b2d9488949110017b9d06001e6bcd386905c8e
SHA3-384 hash:	8fb79eae6c44b059bae6372e58fd1f2329fc1a65d0807f21996c5f434ed2d8656aca648cafa8cf6cd158f6f9f77cd100
SHA1 hash:	7bf0cbe6d1985bd0fe4b11c44eed8d54f3ac0d79
MD5 hash:	c9bb942c858475b5953707630a170727
humanhash:	iowa-jupiter-south-four
File name:	FACTORY EQUIPMENTS PURCHASE ORDER MKCT-02-06-2020.PDF.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	94'208 bytes
First seen:	2020-06-02 10:59:37 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	60858209b45cd2563fa09806a5f002c7 (4 x GuLoader)
ssdeep	1536:ENFO8lL4t20ZQwBPGglWLzwKQwhSHYPWTe1ojwD:PtPmwp7lIzwPQZD
Threatray	1'532 similar samples on MalwareBazaar
TLSH	BC9318037AD49512F1B25B712E7B82996F25FC1A5D82990F340D1A4BBB317629CAC33F
Reporter	abuse_ch
Tags:	exe GuLoader

abuse_ch

Malspam distributing GuLoader:

HELO: server1.swisspac.es
Sending IP: 119.18.63.233
From: JK & T Equipment Pte. ltd. <purchase_dept@jktgroup.com.sg>
Subject: PO. FOR NEW FACTORY EQUIPMENTS
Attachment: FACTORY EQUIPMENTS PURCHASE ORDER MKCT-02-06-2020.PDF.7z (contains "FACTORY EQUIPMENTS PURCHASE ORDER MKCT-02-06-2020.PDF.exe")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=1Uqtyb1TKHoyFpZuMRfKU3riHJmm5Ln5C

Intelligence

File Origin

# of uploads :

1

# of downloads :

68

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/6042/

Detection(s):

Win.Dropper.Nanocore-7995234-0

Gathering data

Threat name:

Win32.Trojan.Vbkrypt

Status:

Malicious

First seen:

2020-06-02 00:49:01 UTC

AV detection:

15 of 31 (48.39%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=27urysxbuc47npi4flscfmwzjceuseiac645ayab426nhbuqlsha._file

Verdict:

malicious

Label(s):

guloader

Similar samples:

08b47c6d183afb72f383ced4639ba73a03d9b36f06617585b3a3d28b69d1ce9f

1d117728ec260d80f6c6a347c4c32c965c69ff10bd4f08444fc70e82eebb1094

2e4e588077024fa1b6e3a621faef00f099fdf962d850adc1895cd0d878a1e8d7

37d7bba1bacdbcb35e301c1fc391449ea84d1203ca59a8b1f1142acf4596e032

6c318da83e3d6644f8e3cfc7b57627970cbbd6a607c7c6e661c3bdb9bd20ba44

b5e4950f8979f18ad063f3df3fb483aa88273271254201dbc0e5241b7713edc2

cb530981e6d92b89bc5346c11b478a5fb329eae8d8bb4609ee00f64747b993ff

d725785ec3970b75ecb17a7e5ac14d93ce7a54d259dffc74e8222ed8cfb8b6b3

dcafd8ba263cf7e448be257a8d25c968a0060908f93f9d02a068bb0dd482879f

f060225054513f81f7600706174134f5bed19ede10f3134f59514542305c7f2b

+ 1'522 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-7x2xk618la/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

7z d5b2aa965df10068da51021b7817fcb6dd677fd53a3d74728751b8320e198a28

exe d7e91c4ae1a0b9f6bd1c2ae422b2d9488949110017b9d06001e6bcd386905c8e

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/374146/

Dropped by

MD5 6b1513663a21ca27665c2db247a38252

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 d5b2aa965df10068da51021b7817fcb6dd677fd53a3d74728751b8320e198a28

Cape

Cape

https://www.capesandbox.com/analysis/6042/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample