MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3371cb1ea5c1990f19e0141454e418ba8e30d70c140d5f4cd3e797aa80a9bb9c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 3

Intelligence 3 IOCs YARA File information Comments

SHA256 hash:	3371cb1ea5c1990f19e0141454e418ba8e30d70c140d5f4cd3e797aa80a9bb9c
SHA3-384 hash:	19ce50037ecd98c135c32d811e8679262052710ceadfeff61000eb88a29075f2eb633f070434f4a9e856b8f29c2fa26b
SHA1 hash:	6dd1f493400987c2985a373cfe936d709de1ce9d
MD5 hash:	2d7f2df4220cee32dee1c8acb91ba4a2
humanhash:	ink-venus-kansas-april
File name:	gunzipped
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	196'608 bytes
First seen:	2020-05-28 13:17:41 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a21af033676a50847cb917ba09b1adbd (1 x GuLoader)
ssdeep	1536:YvjWcRNWQgoGZsO4NcOe+jWfreKHOFTb1udOxLypx0XM4yxO5rX3m+l+NLcZKo:qSc2RZs1WfreFX1udyyHibywx
Threatray	418 similar samples on MalwareBazaar
TLSH	D1143A36B667DCA3DA8549B0D9D1D4F40469BC20C8468A3F72C17F2E36B61D39862B37
Reporter	abuse_ch
Tags:	GuLoader

abuse_ch

Malspam distributing GuLoader:

HELO: ggkorea.co.kr
Sending IP: 192.129.189.208
From: Veronica <veronica@ggkorea.co.kr>
Subject: Re: SP 21 Woven Top/Dress Fabric Follow Up
Attachment: doc05282067665898688.scr.z (contains "gunzipped")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=1qJ1bywJ84j6KAC1qYO9XPmviM6AS8b64

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/5870/

Detection(s):

SecuriteInfo.com.Win32.Injector.EMDX.9146.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Injector

Status:

Malicious

First seen:

2020-05-28 08:04:57 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 31 (83.87%)

Threat level:

2/5

Verdict:

malicious

Label(s):

guloader

Result

Malware family:

n/a

Score:

8/10

Tags:

persistence

Link:

https://tria.ge/reports/201109-b64kwalc1n/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Loads dropped DLL

Executes dropped EXE

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

z 0e5d66a89a9a2c58c1d5ee943eefe7db569511a37c33c3e7ce9a0fcc6ef27597

GuLoader

exe 3371cb1ea5c1990f19e0141454e418ba8e30d70c140d5f4cd3e797aa80a9bb9c

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/370974/

Dropped by

MD5 902298957680a0f73875dc75b0f9247c

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 0e5d66a89a9a2c58c1d5ee943eefe7db569511a37c33c3e7ce9a0fcc6ef27597

Cape

https://www.capesandbox.com/analysis/5870/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample