MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 461a6b0785f4a709fbc9a6aad7194f37f54adcf99e52a47d592761c7a1f29b03. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 461a6b0785f4a709fbc9a6aad7194f37f54adcf99e52a47d592761c7a1f29b03
SHA3-384 hash: b1002370306aa3a3c4c20d6cde5a0ce97e410304259e87d66d01bfc246200b5ca4b40a198d99e1d84f6622c8aa65e372
SHA1 hash: b13d3b20010456bce4bbfc2d9dc9c7c8375b5bc2
MD5 hash: 913afff12777c468c42ecca57e84127a
humanhash: violet-mexico-mobile-beer
File name:WIRE PAYMENT- WELSFARGO.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:94'208 bytes
First seen:2020-05-23 11:51:11 UTC
Last seen:2020-05-23 13:13:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7552a81bcd05c245edea64921fa97077 (1 x GuLoader)
ssdeep 768:UKOoPEw9WCusHthCSuk+xAzcMcw9QWc72i1N1ihxCXAcomCtsDvcFef0:9OuEwe+skgCtqtoHEkFeM
Threatray 10'635 similar samples on MalwareBazaar
TLSH D9931A717990EC77DAA10BB16D328B6418F7FC3118044A037AC93B5E657798DA8353DB
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: biza0.feedtrades.com
Sending IP: 103.124.107.37
From: ACCOUNT9 <contacts@feedtrades.com>
Subject: FWD: RE: WELSFARGO-US BANK TELEX PAYMENT $32,000
Attachment: WIRE PAYMENT- WELSFARGO.IMG (contains "WIRE PAYMENT- WELSFARGO.exe")

GuLoader payload URL:
http://185.205.209.166/wext/Rem-Stub23_lNdKRpB81.bin

Intelligence

File Origin
# of uploads :
2
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-22 23:02:00 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
20 of 30 (66.67%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
guloader
Create hunting rule
Similar samples:
103e7d56674c0bbc15c3e92bccfa444dfa0d13412f9a34012e0dc1ab7f7b9f18
GuLoader
2f4ed6ffb6539e4fd08da57d1d3577180598316972c284d344fb84c1c601a129
GuLoader
3c1e86488fe5d68c50ae1d1b13138419f9d14e7ebc33c284c29b4385dd5c8493
GuLoader
8be1266645d388fa35124c58831cbd83fdc9b6faac7ad44ddaf4b0f6b9d2fd09
GuLoader
90dcb385b06592664cb04ab1ac751748aafd8d8f9673547e19c8370bb614acf2
GuLoader
b3382a480fd0e7749a33bf51874e5b69cdcc8286fe9768c5b5dbad912ff549c2
GuLoader
b9ec899a1cb59794313ed0db3e338dbc43970785be52cf756b0d33588c0064d8
GuLoader
bcfe28b074cc1d9b0fb7896ee3eb4d28c240bee33cb76578f0f9f1ef90ab92e6
GuLoader
f57973fe9b7144fd299f70cc04bcde1e442f6816de323361f1b09cb63c4e41b4
GuLoader
f8166c3c857a7a3ba99515cf6ae242a78050fba7608e24a88e2559e0063a187a
GuLoader
+ 10'625 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-xxggv48eva/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks QEMU agent state file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

img 2ee9d3af84f02be1fe7c45f9e618ef402d09bb3e1eac3b8e46f1d587aebe42aa

GuLoader

Executable exe 461a6b0785f4a709fbc9a6aad7194f37f54adcf99e52a47d592761c7a1f29b03

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/367079/
  
Dropped by
MD5 06197da63722ddf55ae757d68aefc69e
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 2ee9d3af84f02be1fe7c45f9e618ef402d09bb3e1eac3b8e46f1d587aebe42aa

Comments