MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eea878ddf832542b6a4265d632e73d2f43fe76b633acdc63fb3c20435d2ac199. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 2


Intelligence 2 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eea878ddf832542b6a4265d632e73d2f43fe76b633acdc63fb3c20435d2ac199
SHA3-384 hash: a1fe046e35d415d4096e4aa97d6f6dba33d0c909dee91eace4ae67b359381f770afb903ca7451365da410596d996e2e5
SHA1 hash: 147ab085717a9a90f278ae7f801d584fd6e81515
MD5 hash: 2b195d8cb267104f12c5118f3e6870c0
humanhash: green-helium-high-minnesota
File name:Payment confirmation 1st installation SWIFT- 8987TT 55654399086.zip
Download: download sample
Signature GuLoader
Create hunting rule
File size:59'364 bytes
First seen:2020-05-28 06:30:17 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 1536:vodWpKVMxtaZKDphr4adpxef/Io3TziVhDv:wiKmxtaKDXdifBziD
TLSH B0430270097629026186DACB088EB84DD5921447BD21EFCAEB31DE7C98539F63BEC774
Reporter abuse_ch
Tags:FormBook GuLoader NetWire nVpn RAT zip


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: biz2.con-fer.org
Sending IP: 95.214.9.110
From: SARICA Levent <contacts@con-fer.org>
Subject: Attn: sales Balance Payment first installation SWIFT 949950TT
Attachment: Payment confirmation 1st installation SWIFT- 8987TT 55654399086.zip (contains "Payment confirmation 1st installation SWIFT- 8987TT 55654399086.scr")

FormBook payload URL:
http://naturepack.cc/files/bin_ArPodh112.bin

NetWire RAT payload URL:
http://naturepack.cc/files/RTXN.exe

NetWire RAT C2:
185.244.29.175:7070

Hosted on nVpn:

% Information related to '185.244.29.0 - 185.244.29.255'

% Abuse contact for '185.244.29.0 - 185.244.29.255' is 'abuse@gerber-edv.net'

inetnum: 185.244.29.0 - 185.244.29.255
netname: GERBER-NETWORK
descr: Wonsan, Kangwon-do
descr: Choson Minjujuui Inmin Konghwaguk
country: KP
admin-c: GN5022-RIPE
tech-c: GN5022-RIPE
org: ORG-GN148-RIPE
status: SUB-ALLOCATED PA
mnt-by: GERBER-MNT
created: 2018-01-31T19:41:57Z
last-modified: 2020-04-06T22:16:40Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.ArtemisFCFB187C0130.14803.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Grp
Create hunting rule
Status:
Malicious
First seen:
2020-05-28 06:37:05 UTC
File Type:
Binary (Archive)
Extracted files:
7
AV detection:
23 of 48 (47.92%)
Threat level:
  2/5
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip eea878ddf832542b6a4265d632e73d2f43fe76b633acdc63fb3c20435d2ac199

(this sample)

GuLoader

Executable exe 0b1dbd3162f501371ca4d99f39e0ad1631ab1d9698bf19bdd45163319fc0310b

  
URLhaus
https://urlhaus.abuse.ch/url/364770/
  
Dropping
MD5 1072af4cce0c15a89d9104eed3012624
  
Dropping
GuLoader
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 0b1dbd3162f501371ca4d99f39e0ad1631ab1d9698bf19bdd45163319fc0310b

Comments