MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d3bd2bc079a411c7f6ae85c322147246640834d77cba3388f00a0ff1a86c6d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d3bd2bc079a411c7f6ae85c322147246640834d77cba3388f00a0ff1a86c6d1
SHA3-384 hash: 87febc720f12ee8e8a44a8d28dbe8875aee1734f52b7b04e0731f5a21a4bb7caea836b23a80777065fd4320bf5b94820
SHA1 hash: c9940bb950aa7be0c761033ec3806fd54624046b
MD5 hash: 7aa29853a92ae931b98f964bd3deb8e1
humanhash: mexico-speaker-south-hawaii
File name:DHL_DOCUMENT_PDF.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:90'112 bytes
First seen:2020-05-22 09:46:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash dff1ff70697d9137098ac61da35ebdf1 (1 x GuLoader)
ssdeep 768:MPVpGG1gGt+HMA08uDq/NktZi4P8PL8FZoUqZUOYCfYzEjpyiaSKn5Rf1VWW:W+PytV8T/UOYCfYzgpyyK5RfL
Threatray 5'125 similar samples on MalwareBazaar
TLSH BE932B29F654ECF5CE044EB18D688AD445AFBC315D058F0F2AD93B6C2A3B542ED6131D
Reporter abuse_ch
Tags:DHL exe geo GuLoader KOR


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: poc.creationfinancial.co.uk
Sending IP: 178.62.94.186
From: DHL Korea <info@careoption.net>
Reply-To: kodak3399@protonmail.com
Subject: (Dhl korea) 글로벌 문서 도착/주소 확인
Attachment: DHL_DOCUMENT_KR.img (contains "DHL_DOCUMENT_PDF.exe")

GuLoader payload URL:
https://noirrealtysolution.com/ad/bin_BJUiS152.bin

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-22 03:18:04 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
23 of 31 (74.19%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
043ba161ac2f0d30c5a15799d3ce26ec63989d278f58867aeff64ce7ecb41f42
GuLoader
11124347d4a19a4f709bb4ebb2f9c12873f4f079ef3d5e60e18fa9a975302c70
GuLoader
17ccd5b98d29f09cde5b49fee52602ac5e95c462c68f09c5f07d12d8a8cd8e0f
GuLoader
5c7b25c7496dfd38b4b8b2e0b77feaa6990cc65d2c376e49ede55188ffa0ea15
GuLoader
8842ac3497c777517b2f18152eabaa0994a460d249773a5e89a4e16bca2bd741
GuLoader
a57304043cdf4e54783b99ba437e2dedc5bded49da0878e17c459ba37e41bb55
GuLoader
b24a5df4c63722afbed1e3807b18fcc065008ec3431de146dbf3657dffa00893
GuLoader
c906a842516c0b1b052768b573c44fc42d24e0abc4d89ca8e4afc2559adaea1d
GuLoader
f3691f40ec472e4bc10cd7855fce1e52a6e177513c1cff51054463cff7106601
GuLoader
fd268c1e214dd5e0ae8dd56403ef5001769f9fc0ac5e7491c9460a52dfd2cc89
GuLoader
+ 5'115 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-497wjd2f32/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks QEMU agent state file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

img ba7a924703a5105c982b8da16704ee7e22357359fc0ce075f4a8cd80249f1379

GuLoader

Executable exe 1d3bd2bc079a411c7f6ae85c322147246640834d77cba3388f00a0ff1a86c6d1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/366497/
  
Dropped by
MD5 fd1bbe41e42327d49fa1abe090a07ce7
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 ba7a924703a5105c982b8da16704ee7e22357359fc0ce075f4a8cd80249f1379

Comments