MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e83cb09eb3d37595a1840cd716ef1e64e2d3d564147e32fcd10564cf43f5b32c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e83cb09eb3d37595a1840cd716ef1e64e2d3d564147e32fcd10564cf43f5b32c
SHA3-384 hash: 5531614f0034ffe546d3b77e70a9773530970e1d503477068c83c9f1a36306692b998da29bb0095d7049d1703fe35237
SHA1 hash: f712f0d4295aae01b61eb58822874c3c11a30010
MD5 hash: 872470e043d491a63cba7b97f55dc425
humanhash: lion-louisiana-ceiling-green
File name:invoice copy.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:77'824 bytes
First seen:2020-06-08 12:04:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 51f556729019f3f5750a1d283e02f64d (1 x GuLoader)
ssdeep 1536:028ysFY6TjMSJRuVrzagjLO9p0goKKaGc:RBxuQmurzBq7nT
Threatray 820 similar samples on MalwareBazaar
TLSH D473AF076C4EC752F04087B06D938BEA37276D2859029E9776F55FAFEC706C25DA021E
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: [156.96.60.4]
Sending IP: 156.96.60.4
From: hcshin@shinpungtex.co.kr
Subject: invoice
Attachment: invoice copy.zip (contains "invoice copy.exe")

GuLoader payload URL:
http://156.96.118.179/BELIKE_xEIfjzYvQm206.bin

Intelligence

File Origin
# of uploads :
1
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Azorult
Create hunting rule
Link:
https://www.capesandbox.com/analysis/6986/
Detection(s):
SecuriteInfo.com.Variant.Razy.681950.3170.9664.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Infostealer.PonyStealer
Create hunting rule
Status:
Malicious
First seen:
2020-06-08 12:06:07 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5a6lbhvt2n2zlimebtlrn3y6mtrnhvlecr7df7gravsm6q7vwmwa._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
1cd2e3b696656354859e0ffdb5bca866fadf42f59c9e2da1c228e0b52fa5f368
GuLoader
2d40a6c3d1200616055b55031daa8a6b010b3c99219f6b6da87bcd2b2f27d6c2
GuLoader
347aa505ad319b4d8ee54aabe34dfc2af12b4747af23c6b635821ba9aedd0e32
GuLoader
4dac6edef78dafb90df3fd12392f3476743ec38556aa72d364c913cb7f866ec3
GuLoader
72eb2dc730e3574dcb204d37fcfb35cf91bacd8087d6028d743cb0992c874244
GuLoader
b022be4adc35569368e23da7b344c4f9a4ce9efffaf1013d1fc778cb2b58f67f
GuLoader
b8565239fc984ae11a613ad6a80eebcf3e006125c8e6240583a0365669c32397
GuLoader
c72abb73f39b466cd8b230c1fd9d6c1bf46573db11038eaa407d47976eb317eb
GuLoader
f2a9b8210e9545bf90468330a3afe70cbe26148b94658c49ff77cd59c733117b
GuLoader
fd5787f252991130457a5aaa488942f167cfc8b8655a9a1ea2746906cb0a3768
GuLoader
+ 810 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-nleza33y6a/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_vobfus_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip 214ff293158223d64726e3ade2accf7fde041923afa2dc8a2723b5a54e0b8f97

GuLoader

Executable exe e83cb09eb3d37595a1840cd716ef1e64e2d3d564147e32fcd10564cf43f5b32c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/383066/
  
Dropped by
MD5 8164bd60c71956772619896270885c2a
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 214ff293158223d64726e3ade2accf7fde041923afa2dc8a2723b5a54e0b8f97
Cape
Cape
https://www.capesandbox.com/analysis/6986/

Comments