MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb422c90d0ddff14da11a769e774a29f71c6d6ed8352c59279dcf414f75cb91e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fb422c90d0ddff14da11a769e774a29f71c6d6ed8352c59279dcf414f75cb91e
SHA3-384 hash: fe6d3e9477ef1039131bff75ed906d0e971db8a3173a1dd247b44217a1717e9a29da6d82d471b3499bdcb6923616c062
SHA1 hash: c0312373268f47e9b845833edd060786bcd88b17
MD5 hash: cd8e3dc3bac5c3e8260f030c2d4f8ce8
humanhash: twenty-papa-artist-floor
File name:2020-0619 LPO #232A-NGHI TIN (EcoLife).exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:110'592 bytes
First seen:2020-06-03 13:10:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ee62b9851789e52250de971723d0b04f (1 x GuLoader)
ssdeep 1536:MASPfxV40cIoSrdLmj5BI6kgrKHxLdGKc+o0FDHdZ1gIZdcv3q5pWsQhW2:MpPXc1SrdYn/KVdhjFD9zSrhW2
Threatray 922 similar samples on MalwareBazaar
TLSH 00B38C03EC4D8653C1448BBD3D579E797B0DB90D19006BEFB53AAE9BAE312421CA711E
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: sv49d117.emailserver.vn
Sending IP: 103.15.49.117
From: Ngoc Pham Thi Bich - MM <chinhpq@intech-group.vn>
Subject: MEGA MARKET - ĐƠN ĐẶT HÀNG THIÊN NAM HÒA – 103
Attachment: 2020-0619 LPO 232A-MEGA MARKET.rar (contains "2020-0619 LPO #232A-NGHI TIN (EcoLife).exe")

GuLoader payload URL:
http://ratamodu.ga/~zadmin/group/harl_cyMbNbo109.bin

Intelligence

File Origin
# of uploads :
1
# of downloads :
65
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Lokibot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/6300/
Detection(s):
Win.Dropper.NetWire-7996875-0
Create hunting rule

Win.Malware.Razy-7997182-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Androm
Create hunting rule
Status:
Malicious
First seen:
2020-06-02 23:48:16 UTC
AV detection:
17 of 31 (54.84%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7nbczegq3x7rjwqru5u6o5fct5y4nvxnqnjmletz3t2bj524xepa._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
0df2abd8f3c06aeb38649e78d5771ebc42fc7ff3365673a1234f4c907ae877f1
GuLoader
17f52dbf63e20cb471e6da579551830186446d814a14162ec3569c62fb6f0771
GuLoader
6c09ece0b9aad3203ecbbd39ece95dd2ec4caea7d0dd4259bc3b5e4158218dd9
GuLoader
83fc18a8a68814bb00e6d7bddbdce27ac5ffdc4dca8f57408e0db2124e4c441c
GuLoader
8c4a0f5a5739f570edea6dcbb7d5701cc6467ccdf00554a88669aab0f743180e
GuLoader
9dad25bb4c66c85c54da83d5c2ed752ed7c3452863fc4b46bda7cf440fef509b
GuLoader
c7ffd915a436362423fa08dcf1a834414c49aac7dc8357f460252d36e073da8c
GuLoader
d0a562dd58403b273a4f7044aedf26617c9cee21113d97ddaddd9cff2a9f6597
GuLoader
e16c2f6e8bad564692abd575007f18e17013e423d7cfe8882872d021ef3439f2
GuLoader
f6acfb0076b3a4e817b12f1f4e91eb89dbeeee1bca29d591949b73dfb604ef68
GuLoader
+ 912 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-rdgha5ar4s/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

rar 355cd730a0a6e3e368f3243f35a38211aa446a772cb5f61beff7c28d27e2bdb2

GuLoader

Executable exe fb422c90d0ddff14da11a769e774a29f71c6d6ed8352c59279dcf414f75cb91e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/374155/
  
Dropped by
MD5 87d6640e5f0d76a414629bef18ee7c31
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 355cd730a0a6e3e368f3243f35a38211aa446a772cb5f61beff7c28d27e2bdb2
Cape
Cape
https://www.capesandbox.com/analysis/6300/

Comments