MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f17c37c6d5e56b96e7d603d1eafcb885b8c229cd1a6ec1d669b1dadcce59bdef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f17c37c6d5e56b96e7d603d1eafcb885b8c229cd1a6ec1d669b1dadcce59bdef
SHA3-384 hash: 885585f14c242faf122d9957f045f082e575b74f17ee759a290c8544c0be642759361707ada0f9ed300078f0edbc2974
SHA1 hash: b8158a8724d24968f9f75f94483acacdc6956eca
MD5 hash: b5374654ec2ffef8c046cafeee2adb22
humanhash: pluto-six-yellow-bulldog
File name:dispositio.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:110'592 bytes
First seen:2020-05-06 11:10:28 UTC
Last seen:2020-05-06 14:11:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a648478880c6ae41ca83c9638e8ca8fb (1 x GuLoader)
ssdeep 1536:VvHXGxTdYRktR9U+ac8W5fS4HQIkERy2hrbG23:VET0kr9TSoQSRhhvf3
Threatray 259 similar samples on MalwareBazaar
TLSH E6B30B942AA0DC13E5597AB2DB94F15DE7A5BC352831960732C1334A1F39AC2EF2172F
Reporter abuse_ch
Tags:exe GuLoader Loki


Avatar
abuse_ch
GuLoader pushing Loki from drive.google.com

GuLoader payload URL:
http://portal.nfbpc.org/dispositio.exe

Loki C2:
http://31.220.2.200/~putinnot/School/project/fre.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Mal.FareitVB-AC.1371.17743.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-06 11:35:58 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
24 of 31 (77.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6f6dprwv4vvznz6wapi6v7fyqw4mekondjxmdvtjwhnnztszxxxq._file
Verdict:
malicious
Similar samples:
4860f303cff9925131edb7ce8b5ac727869bf318a88aecb3a31a258f2679de5c
GuLoader
552f8a15f83c9c40034cbada93c326a24b8677d7413e8395bfd7f3a6461d33b3
GuLoader
83e97420dbe39c6e29e2ae3dad80f21afe93d1b6ea88962a89762cd64772db41
GuLoader
aff13266e5803a58effdba6e01d44dd6b083db453a0dbf2528f5e729d33918fe
GuLoader
c0a66966676974f8b853ba487eb3e06e8952ccb0f9d6930bf2d1c67293ee21f1
GuLoader
d025b24f7179db8dcc6dda416f90220e9559dde564a5b24c0dc7a02fc823c97c
GuLoader
d8e693957ed5178a7f00b1c5705dae298b7e04da07d5c154a6580c031369d6ab
GuLoader
eb69f1b5d596096808339dd39376f1685bf94376491a8df091c9a788d0dc1ef9
GuLoader
ef7a8f1478e57d2dedf96a00501903b7b5a571680286502f2f329ed2c8728b2b
GuLoader
f85b3852381cfbabd654be01a21ffbb798a0feaa3f360fff66f27d499c174898
GuLoader
+ 249 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-p4trrew1sx/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks QEMU agent state file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Word file doc d025b24f7179db8dcc6dda416f90220e9559dde564a5b24c0dc7a02fc823c97c

GuLoader

Executable exe f17c37c6d5e56b96e7d603d1eafcb885b8c229cd1a6ec1d669b1dadcce59bdef

(this sample)

  
Dropped by
MD5 78224bebdf8d79c078a95c9a7912d60b
  
Dropped by
SHA256 d025b24f7179db8dcc6dda416f90220e9559dde564a5b24c0dc7a02fc823c97c
  
Dropping
Loki
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/358774/

Comments