MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e0a55cba6885e046f0eb064179877af39b10f3d8cc74b8c697ea7c8cda6ab739. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	e0a55cba6885e046f0eb064179877af39b10f3d8cc74b8c697ea7c8cda6ab739
SHA3-384 hash:	d82fdcec4a6145d1c27df11ec44c906bafc2003f3ca1c8141c8c48fac876808a02a33a4979f2839c2a8c83439996ea28
SHA1 hash:	4ed6a07556b4718148e8fa6abfe428b5c5ad88a8
MD5 hash:	b256fa01bc288d0fd862ab5124b7ca0d
humanhash:	uranus-comet-iowa-princess
File name:	DHL Arrival shipment.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	77'824 bytes
First seen:	2020-06-07 19:51:08 UTC
Last seen:	2020-06-07 20:46:57 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	2c5a14836ae481ea84fec6186fa744da (1 x GuLoader)
ssdeep	1536:n3DrdLtwB5uQAT4BwDwvTH/8ToBhjakEuEN:Trdh2/KEz/8TPky
Threatray	2'441 similar samples on MalwareBazaar
TLSH	C673AE07BD28D993D1450AB02E23D9991E367D684842DE4BB104AF9FFC747D368E960F
Reporter	abuse_ch
Tags:	DHL exe GuLoader

abuse_ch

Malspam distributing GuLoader:

HELO: airgalaxy.com.bd
Sending IP: 167.114.52.13
From: DHL EXPRESS <dac.ofrdocalert@dhl.com>
Subject: DHL Arrival Notice// House Waybill/bill of lading// Import DGF customer Invoice
Attachment: DHL Arrival shipment.gz (contains "DHL Arrival shipment.exe")

GuLoader payload URL:
https://kinansreview.com/build_NEW_gLpjIcLUO232.bin
https://cmdtech.com.vn/build_NEW_gLpjIcLUO232.bin

Intelligence

File Origin

# of uploads :

2

# of downloads :

79

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/6927/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.43287589.9614.8158.UNOFFICIAL

Gathering data

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2020-06-05 05:27:23 UTC

AV detection:

23 of 31 (74.19%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=4csvzotiqxqen4hlazaxtb326onrb46yzr2lrrux5j6izwtkw44q._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

guloader

Similar samples:

0494c6b3493335509d5fdce6d9592d796e592fee648f42dded58ddc29e3565a1

168cd5b5e4d1dfec48777cdc97b74c7b33dca67d176f9add9bb94fa89905db38

625d65e2f28c0eb382f79567e2688de8188fa6606f6add912c74305c6f560718

63a5b27aaccab499d4e56d6606d9495484685be3f63817f9e90a61330bcffe38

8e73f4dbd13dd1cf8475bab8fae351b8a05507e429bd3b3700fca13dc764d66a

a7b55b6bfafb6d370f94ff25e294f90d28818a1842ecad4546d18334c616cb97

b282b41544510e59a40e875239a18b038243be344b1439e19d821eb7622e9230

bf6d2e90c5fd6b327f1e513402eb01491ac8487b682243450ad684de5e6e62d4

d05800ab82af8100fbb6ee66729de2aa580f8acde780df49ef14b4213f316e87

f888221496147b75d54210c499498b02780082a4e241575c7374adf58c38d902

+ 2'431 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-4pj5w3jwqs/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

gz 644eefdc34d8d71af2cb639411ecaf6d00e6092acd60594353e47ea5a836fffd

exe e0a55cba6885e046f0eb064179877af39b10f3d8cc74b8c697ea7c8cda6ab739

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/369924/

Dropped by

MD5 5a6f179dac6ed66c98eb16eea4280bcc

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/6927/

Dropped by

SHA256 644eefdc34d8d71af2cb639411ecaf6d00e6092acd60594353e47ea5a836fffd

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample