MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f8bafa64755f10484342423a2069ab6f9f817065b1f6bd45db2032677c64b7ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	f8bafa64755f10484342423a2069ab6f9f817065b1f6bd45db2032677c64b7ad
SHA3-384 hash:	82c9ab4d5a3c026f67461674cdcb769390415302c3ea444912d7b2a0e51d6a7bfba84fef844b3b559fabf45a4312cc96
SHA1 hash:	f924411a57bc8fb7ad057d5ffacbe3ad7b4b8674
MD5 hash:	7c3a40464f8860d06f2cae80ec905339
humanhash:	pennsylvania-white-purple-paris
File name:	gunzipped
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	53'248 bytes
First seen:	2020-06-04 10:47:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	53fae2033ab8e12a051b43ad4f2a598a (1 x GuLoader)
ssdeep	768:ZMQUM4i0eSKnREBmW2Rx6t7+lHnx9FAMCIYORHMX4EPUSYUi0tak:yQ/N0XKREB/Og7+Vnx/ATOtOPUup
Threatray	887 similar samples on MalwareBazaar
TLSH	2133F517B9DA4112F40446FBFD519DED6822EC22E901BF0666C5BABF4E70056ACE432F
Reporter	abuse_ch
Tags:	GuLoader

abuse_ch

Malspam distributing GuLoader:

HELO: clean205.mxserver.ro
Sending IP: 176.223.124.55
From: Hamza Kray <hkray@powertk.com.tr>
Subject: Quote Power TK - Perkins (TR & ESC) Stok Durumu 04.06.2020 (Power TK - Perkins (TR & ESC)
Attachment: Quote Power TK - Perkins TR ESC Stok Durumu 04.06.2020 Power TK - Perkins TR ESC.gz (contains "gunzipped")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=1RFEcyvZjGsxKyjruUfoykVIq8Z2h7v7s

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Lokibot

Link:

https://www.capesandbox.com/analysis/6517/

Result

Threat name:

GuLoader

Detection:

malicious

Classification:

rans.troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/368083

Behaviour

Behavior Graph:

n/a

Gathering data

Threat name:

Win32.Trojan.Vebzenpak

Status:

Malicious

First seen:

2020-06-04 07:16:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 31 (77.42%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=7c5puzdvl4ieqq2cii5ca2nln6pyc4dfwh3l2ro3eazgo7dew6wq._file

Verdict:

malicious

Label(s):

guloader

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-kbnyqhlk82/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

gz 3011c4b8f9a11fa19f9771356f33a674e90456e8634ce597f885f046b8b51b5a

GuLoader

exe f8bafa64755f10484342423a2069ab6f9f817065b1f6bd45db2032677c64b7ad

(this sample)

Dropped by

MD5 8ca1ec392b359a8c8f62eced1297c91c

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 3011c4b8f9a11fa19f9771356f33a674e90456e8634ce597f885f046b8b51b5a

Cape

https://www.capesandbox.com/analysis/6517/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample