MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f4ed6ffb6539e4fd08da57d1d3577180598316972c284d344fb84c1c601a129. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 3

Intelligence 3 IOCs YARA File information Comments

SHA256 hash:	2f4ed6ffb6539e4fd08da57d1d3577180598316972c284d344fb84c1c601a129
SHA3-384 hash:	46f74aa3e6d5f1f519c2f891d2a3821ba1a86600e556b48ba86f01f0b86c2ae861b8b4dc2dbb68d21b0ffd53bf1a86ce
SHA1 hash:	af38ab9005998b922e7c791dffceb5b1634496f7
MD5 hash:	9dd792eb5cd0ca8aaf354fb198420913
humanhash:	london-seven-carpet-quebec
File name:	STOCKHOLM -SE BANK TELEX 32,000 EUROS.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	94'208 bytes
First seen:	2020-05-23 11:50:46 UTC
Last seen:	2020-05-23 13:13:18 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	3485fbe762bc53c3a90f8034b9982d87 (1 x GuLoader)
ssdeep	768:F3kYJcmdMpv0UnscwuYMxHeCgTH5Oc+1cbdnU2w3Ps9W1QqeQhGj1XixT3kg:hk0dgtnscXYMReRTZlER2wqqepVixDr
Threatray	10'631 similar samples on MalwareBazaar
TLSH	4E931A6BB940D872E9240EF11A728A585567ECB09D904B0378EE3B6D3E3374E99753C3
Reporter	abuse_ch
Tags:	exe GuLoader

abuse_ch

Malspam distributing GuLoader:

HELO: biza0.feedtrades.com
Sending IP: 103.124.107.37
From: ACCOUNT9 <contacts@feedtrades.com>
Subject: FWD: RE: WELSFARGO-US BANK TELEX PAYMENT $32,000
Attachment: WIRE PAYMENT- WELSFARGO.IMG (contains "STOCKHOLM -SE BANK TELEX 32,000 EUROS.exe")

GuLoader payload URL:
http://185.205.209.166/wext/Rem-Stub21_xJNEDiadS140.bin

Intelligence

File Origin

# of uploads :

2

# of downloads :

64

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Packer.ProtectSharewar-2

PUA.Win.Packer.ProtectSharewar-3

Gathering data

Threat name:

Win32.Trojan.Injector

Status:

Malicious

First seen:

2020-05-22 23:02:00 UTC

File Type:

PE (Exe)

Extracted files:

6

AV detection:

19 of 30 (63.33%)

Threat level:

5/5

Verdict:

malicious

Label(s):

agenttesla

guloader

Similar samples:

103e7d56674c0bbc15c3e92bccfa444dfa0d13412f9a34012e0dc1ab7f7b9f18

3c1e86488fe5d68c50ae1d1b13138419f9d14e7ebc33c284c29b4385dd5c8493

461a6b0785f4a709fbc9a6aad7194f37f54adcf99e52a47d592761c7a1f29b03

90dcb385b06592664cb04ab1ac751748aafd8d8f9673547e19c8370bb614acf2

b3382a480fd0e7749a33bf51874e5b69cdcc8286fe9768c5b5dbad912ff549c2

b9ec899a1cb59794313ed0db3e338dbc43970785be52cf756b0d33588c0064d8

bcfe28b074cc1d9b0fb7896ee3eb4d28c240bee33cb76578f0f9f1ef90ab92e6

eced8139c7651d297e4bc18c9b8783b76ffa477c07e09b269739d8b6fa0d14de

f57973fe9b7144fd299f70cc04bcde1e442f6816de323361f1b09cb63c4e41b4

f8166c3c857a7a3ba99515cf6ae242a78050fba7608e24a88e2559e0063a187a

+ 10'621 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-xssl7phmy6/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks QEMU agent state file

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

img 2ee9d3af84f02be1fe7c45f9e618ef402d09bb3e1eac3b8e46f1d587aebe42aa

exe 2f4ed6ffb6539e4fd08da57d1d3577180598316972c284d344fb84c1c601a129

(this sample)

Dropped by

MD5 06197da63722ddf55ae757d68aefc69e

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 2ee9d3af84f02be1fe7c45f9e618ef402d09bb3e1eac3b8e46f1d587aebe42aa

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample