MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ebd4be279ffeac609946977cd38d51331cad3238e36185828c183154f5e03f8f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ebd4be279ffeac609946977cd38d51331cad3238e36185828c183154f5e03f8f
SHA3-384 hash: d4a01f2a2a837b83fc5b7f1c06007774e27f03ca07e0b369c2a1a25efc6ceb40ab69b1029e231bf8b13c61c057f554db
SHA1 hash: 552c271a2f3457ea137cc52d669b2ff0b256741b
MD5 hash: 58a8b51e7c69f75f563747eae7bc12fb
humanhash: asparagus-arizona-emma-glucose
File name:Pago.xls
Download: download sample
Signature GuLoader
Create hunting rule
File size:71'168 bytes
First seen:2020-05-11 15:36:09 UTC
Last seen:2020-05-11 17:09:27 UTC
File type:Excel file xls
MIME type:application/vnd.ms-excel
ssdeep 1536:iCxEtjPOtioVjDGUU1qfDlaGGx+cL2QnAexMt2bk3ysqQwvXi:iCxEtjPOtioVjDGUU1qfDlaGGx+cL2Q2
Threatray 125 similar samples on MalwareBazaar
TLSH FC631891B685D8C6C94807354CEBC6E63B27BC105E6687CB3298F72F2F7269089C3657
Reporter abuse_ch
Tags:GuLoader xls


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: p3plsmtpa09-02.prod.phx3.secureserver.net
Sending IP: 173.201.193.231
From: Cuentas <compras@pharmasi.com.mx>
Subject: Pago
Attachment: Pago.xls

Malspam distributing GuLoader->Loki

XLS->GuLoader->Loki

GuLoader payload URL:
https://nilemixitupd.biz.pl/SILVER/COJHJHHGHVCDKNJKJ.exe

Loki payload URL:
https://protestlabsmovings.es/trilp/build_QaDIysPvgb173.bin

Loki C2:
http://157.52.211.247/arinate/Panel/five/fre.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
TwinWave.EvilDoc.URLDownloaderSuperStar.20200510.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Document-Word.Downloader.Sload
Create hunting rule
Status:
Malicious
First seen:
2020-05-11 20:50:03 UTC
AV detection:
23 of 48 (47.92%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5pkl4j4772wgbgkgs56nhdkrgmok2mry4nqylaumdayvj5pah6hq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
10481c8ab9d363251e4d1aab4805df6d245621a5f10302fe5ed8cdd9f20bdc14
GuLoader
1cd2e3b696656354859e0ffdb5bca866fadf42f59c9e2da1c228e0b52fa5f368
GuLoader
82c8c241387c128a1d00eb9a96ec415ccad32461600441cb9a6c9176cfebd617
GuLoader
851f2df17ce8673bc0747d4ec64b2904b3749a5e9028acbc65db70613b3e5ad5
GuLoader
b022be4adc35569368e23da7b344c4f9a4ce9efffaf1013d1fc778cb2b58f67f
GuLoader
dd2348afaca2101fe4898391119d36e17ffe915efe10187d2085b06cbc8e1a12
GuLoader
dda25996ab5b78fa63ab71aa304360374fe2eb6ded670c778b2c69d9fa1f1e40
GuLoader
e97c8416fc63162b69167c2b4f51f82ae6aacc8e4276b76ca5b775ba2ec437ea
GuLoader
ef0e8df5c700e64d5d2e8dde4c9b5c117abfc919c676ff383019c585e8e367b0
GuLoader
ef8f03a25087eeab581d8439a0a19ba7148270d2210d479c1d6867fac69dc813
GuLoader
+ 115 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-wjhrhsgdz6/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Checks processor information in registry
Suspicious use of FindShellTrayWindow
Office loads VBA resources, possible macro or embedded object present
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SharedStrings
Create hunting rule
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Excel file xls ebd4be279ffeac609946977cd38d51331cad3238e36185828c183154f5e03f8f

(this sample)

GuLoader

Executable exe 242e753a150db24e2f8a7787e97e26880806ec11f822eb388867b7703dd2de9f

  
URLhaus
https://urlhaus.abuse.ch/url/361190/
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 242e753a150db24e2f8a7787e97e26880806ec11f822eb388867b7703dd2de9f
  
Dropping
MD5 697ade1df9d97099efa52772726e73d5

Comments