MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb4582cb00844df09a71aa8f41a8f05f6775230e35f8775c7b52302dc6d0716c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eb4582cb00844df09a71aa8f41a8f05f6775230e35f8775c7b52302dc6d0716c
SHA3-384 hash: ac043e2d6c21b5d020d20a6d7583316091789d2491677c3ad2168baac44613bf187257b3ff16f9d553a2e07a2bd5b419
SHA1 hash: 84f907d9e502c41017f1422fab37893602637f1b
MD5 hash: cc8496b710d9a8e7cc6b600b25b7fea7
humanhash: thirteen-mexico-tango-enemy
File name:0312 RFQ #090701 - DRA-062020-BR.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:77'824 bytes
First seen:2020-06-08 07:12:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d1770d1f31c333302ae4e9f6ddf5b3bc (1 x GuLoader)
ssdeep 768:ZsTysfNpuRnnPilTjATM3cvEQ+TRLTufHppNH3DEpTkRXQJtEWx4Be3KOfCczPgA:uTysFY6TjMHMQeafppNHAp0goKK9X
Threatray 949 similar samples on MalwareBazaar
TLSH 00739E03E904E991F14083726D925B4A273BDD295E42AE8B76995EEFFC306C21DF132D
Reporter abuse_ch
Tags:exe GuLoader Loki


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: sv49d146.emailserver.vn
Sending IP: 103.15.49.146
From: Le Thi Phuong - KETOAN - XLT [phuongle@xltech.com.vn] <chinhpq@intech-group.vn>
Subject: Re: QPPE-PCC1 09062020 Đơn hàng XL Technical VN – 03
Attachment: 0312 RFQ 090701 - DRA-062020-BR.rar (contains "0312 RFQ #090701 - DRA-062020-BR.exe")

GuLoader payload URL:
http://ratamodu.ga/~zadmin/group/harl_cyMbNbo109.bin

Loki C2:
http://egamcorps.ga/~zadmin/lmark/harley/mode.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/6954/
Detection(s):
Win.Downloader.NetWire-8010885-0
Create hunting rule

Gathering data
Threat name:
Win32.Spyware.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-06-07 23:19:33 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5ncyfsyaqrg7bgtrvkhudkhql5txkiyogx4hoxd3kiyc3rwqofwa._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
289a899e650426588b020e4f4b9159b40a9ae2c06c89db166f51f55d8a4f57e9
GuLoader
3b15d18c463f3a0a6c2b2915d129924dd0791bc5252cfee280b9a6e296229403
GuLoader
4bed372d49cbb980146b1900cf0e641d7e5e9a72a25afbeea28ff996cb93da5a
GuLoader
7d3cb63259a52aa1c69dc8fbe9145dd5e812de1675ba87d31de40f0efaab0574
GuLoader
8e63f0e7b5c39d4afb5be72220eccb9777ac7ca42dd324801f4f26f5fb4b4c0e
GuLoader
a696a4e34ae22386e2759a75b90f5990501c2cbbb529036f8ec124b8fb9f6c77
GuLoader
b022be4adc35569368e23da7b344c4f9a4ce9efffaf1013d1fc778cb2b58f67f
GuLoader
b5bd9240b7a811177610996661c9fc7b8e9e3b5e0eb6668c7f6cc17b1185f625
GuLoader
d99947df7b80d4cf1f998cd4c205df67be0afc6ab0d9b4d92988b1aeccc1bf0c
GuLoader
f060225054513f81f7600706174134f5bed19ede10f3134f59514542305c7f2b
GuLoader
+ 939 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-k962d61lmj/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

rar 056ca147d654020441f33ced8510bdbb5a686b0a1769cb1c77ec0a858fa36026

GuLoader

Executable exe eb4582cb00844df09a71aa8f41a8f05f6775230e35f8775c7b52302dc6d0716c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/374155/
  
Dropped by
MD5 581c36ccc733cfceef3ae25586350344
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 056ca147d654020441f33ced8510bdbb5a686b0a1769cb1c77ec0a858fa36026
Cape
Cape
https://www.capesandbox.com/analysis/6954/

Comments