MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 42895dc552049d3cfd80ced83d8e2fbfc30adc3799e3748aa5f9e7df32373a58. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 3

Intelligence 3 IOCs YARA File information Comments

SHA256 hash:	42895dc552049d3cfd80ced83d8e2fbfc30adc3799e3748aa5f9e7df32373a58
SHA3-384 hash:	4f93cb200a13174d0595bc01e572a69ded7e460f71b206d8f1dfcabd0120d90a3e1f3d4426fa856b2633098871353d80
SHA1 hash:	9af40c2d7133c8856a85c57d9c2435456b0a33cd
MD5 hash:	33848711e66319dc81230b27d496c059
humanhash:	one-fix-oranges-alaska
File name:	RFQPO700125210.bat
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	192'512 bytes
First seen:	2020-05-28 07:05:26 UTC
Last seen:	2020-05-28 08:22:38 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	27d5fb48cf608a63dbcb7fad5ed2bc20 (1 x GuLoader)
ssdeep	1536:6B+rZFl8HtZvPPMyVNrWAgSrd1364kXarSqK+YCQxvc3YTXSxGfU/l:4+rZF+NZX9GfSrd1364wa/FYC9B
Threatray	5'331 similar samples on MalwareBazaar
TLSH	DC143B37B69BCCA1D94405B4C8D2D9F41861AC14EE07CE5B76C0BF3E757A083A926B36
Reporter	abuse_ch
Tags:	bat GuLoader

abuse_ch

Malspam distributing GuLoader:

From: Qatalum Services LLC <info@qatalum.com>
Subject: Qatalum RFQ PO700125210 Supply
Attachment: RFQPO700125210.r15 (contains "RFQPO700125210.bat")

GuLoader payload URL:
http://www.mailserverservices.info/XAZ_XRrorYsrkF74.bin

Intelligence

File Origin

# of uploads :

2

# of downloads :

76

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/5796/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.43234288.24877.22486.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Grp

Status:

Malicious

First seen:

2020-05-28 00:46:00 UTC

File Type:

PE (Exe)

Extracted files:

6

AV detection:

22 of 31 (70.97%)

Threat level:

2/5

Verdict:

malicious

Label(s):

guloader

Similar samples:

0e319c36c39c8504a0349445b2282bc450758b7e670a3477c0653b1daafffaff

308336495b7fa2af7107a520ec1fdcaac4a0d615e0ecfd8ddd6090c72c3f46b6

37812e3e7309cc0348c77208870cbeb44636a785dec26241fc6e392905edf91e

3b7dc89103d8c49eea88bd302c37e6b9c1f1ae13bdd38c9ff9709568b9f56e3b

4d4f1920e857285f7bb60473910ffabdd1cbbbb9140be18af0f226a247159546

9ebbeaf380d12e97972f57de2e052f1e043370d0be0bcd0deb3ebc5334cc68a2

a34a05f4fba031be97dcc4bb04e0e45a75d1034cd2d32177b26a65de7a1306a0

a5a17e29758a200bd8bd3805f5b1f292a236ee994274033ee1953ec7e9690db3

da6fd7aeb4a04410109f9f170589fe5262a1922a7dabc5b7b26e0af00dcdaba3

f6557b3412ca78e87ff38632aaf24732b74da646678fd6ea5f01134bb498fd14

+ 5'321 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-l2grgx2ne2/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar ec9d54f625cef1085f641836f89030dce3e92738a93e69887d99ab954d9690be

exe 42895dc552049d3cfd80ced83d8e2fbfc30adc3799e3748aa5f9e7df32373a58

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/370264/

Dropped by

MD5 5b34d3d16f9e80b547d7399ae61e212d

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 ec9d54f625cef1085f641836f89030dce3e92738a93e69887d99ab954d9690be

Cape

Cape

https://www.capesandbox.com/analysis/5796/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample