MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5df5978473c4b77bcb6a3ec9d13f4c0e10b03a1aa82118235a6cf748f2c7809d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5df5978473c4b77bcb6a3ec9d13f4c0e10b03a1aa82118235a6cf748f2c7809d
SHA3-384 hash: 372fe796fd4aaf037d9326b97c69cb377e77c36e17514a9ec04ace9fae88e0e4f52a45f03869e58a0b40bec61e92beb1
SHA1 hash: 7c5ccf58c7ef4a6e756f112eaf077a0a0bac1ca2
MD5 hash: 3947f9cb63dc48721c08da084d85e975
humanhash: saturn-wyoming-delta-october
File name:Ensto Purchase.bat
Download: download sample
Signature GuLoader
Create hunting rule
File size:94'208 bytes
First seen:2020-05-22 10:14:28 UTC
Last seen:2020-05-22 10:51:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e3cf5aa56fc7e52cc5ceb370534bc048 (1 x GuLoader)
ssdeep 768:mhN2/12zhrBqPr7AiVM/6vfRoyHn/HctpmmzRI+8lGt47m9DDDLiba1jz:0N2gz+7DVTLHn/HxmzRI77mDbjF
Threatray 1'358 similar samples on MalwareBazaar
TLSH 45932B35B1A0EC62DC340FB34E318654246BFD361B604A4B74C93B1FAA3799EA635397
Reporter abuse_ch
Tags:bat GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: ensto.com
Sending IP: 37.49.230.137
From: Sales <stefan.balund@ensto.com >
Subject: Ensto Purchase
Attachment: Ensto Purchase.zip (contains "Ensto Purchase.bat")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=15JeNpheQKELUd7GAeWD3LUJ9Knm_np48

Intelligence

File Origin
# of uploads :
2
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-22 10:36:56 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
22 of 48 (45.83%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
1ca43e5c33edbf126b18cd7603f5674dc45c9aa2d34efa41796a8f0f9a08b947
GuLoader
3c2fb53051873bdd9f851e47352dd4b303241a0224f458040dd5d06ac242cc7d
GuLoader
9be235495bd4696901a7e0538b3d96f6996268c67c1b607cdc8e33a794a6a9da
GuLoader
9d772f078ebff5dd18830b266cf39eaea44289e765d6290e8589e684a22d0946
GuLoader
ab4b09899d64fde8ca45f853009a739bfc0d75ad404d1cbcab7fc381169a1612
GuLoader
c4b5846ab10b6ac87f6f176bcb8a3f76a720628fd8b1aa9d7c1f603192f67bd0
GuLoader
c8ea056cb229cc17d43217a6aba42320468cfaea55d6f9846b5f402bab6b06d0
GuLoader
d2669f09cb9d457a0bb1ebc7db59cc0f53778ebf2fbd90f84b7c3fd587a109bb
GuLoader
d335fad41e3f9b09effaf617e6c56554b667191c9c94f4b644a15b396408858b
GuLoader
dd7268284b041dafef56b6a8a4b565b3a0c54e1eaacc68121a1688e03798e72d
GuLoader
+ 1'348 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-w38xbqgj6e/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks QEMU agent state file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip f9432f92bf9fa675692126349aa8ae58233db9fc49102886e3fc8afca49d2d9f

GuLoader

Executable exe 5df5978473c4b77bcb6a3ec9d13f4c0e10b03a1aa82118235a6cf748f2c7809d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/366523/
  
Dropped by
MD5 72da8e37f96cf3f74255a9189f18ec62
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 f9432f92bf9fa675692126349aa8ae58233db9fc49102886e3fc8afca49d2d9f

Comments