MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5fc23e159d21753ca7140091700214b2c277d0f94e80280b58bbfda43930e7d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5fc23e159d21753ca7140091700214b2c277d0f94e80280b58bbfda43930e7d2
SHA3-384 hash: 415ef1c5ef979c181d612888e93fb6fe324df371bf843f7f25a822c1cbc7c55c979d4163c93fd0284441efb2041c66c3
SHA1 hash: 09844f070500aaec2c7813fd039c4fad2f259a03
MD5 hash: 95211084ca6d765254538d958da1dc33
humanhash: fifteen-winner-kilo-massachusetts
File name:PAYMENT INSTRUCTIONS COPY.scr
Download: download sample
Signature GuLoader
Create hunting rule
File size:94'208 bytes
First seen:2020-05-22 15:03:44 UTC
Last seen:2020-05-22 15:48:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9dcb714004172e9d71fd31bf582c76b3 (1 x GuLoader)
ssdeep 768:kQPBlfs1TSo56Yh2h+x/lUOzen6fLTgnmpDmzGxRJel5OjjxPN1xXtMM1t:jPB8bh2GaOzen6DTgEk2xPTF3
Threatray 500 similar samples on MalwareBazaar
TLSH 58931A2A7290EDA7CA650FF12D75D6DC182BFC3029144B4370D53B2D7A3398AA875357
Reporter abuse_ch
Tags:GuLoader scr


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: ss0109.hostingcare.net
Sending IP: 138.128.162.42
From: Faye Segal <info@drivus-industry.com>
Reply-To: ukcompany20@yahoo.com
Subject: RE: PAYMENT INSTRUCTIONS
Attachment: PAYMENT INSTRUCTIONS COPY.gz (contains "PAYMENT INSTRUCTIONS COPY.scr")

GuLoader payload URL:
http://creativewg.com/baby_zLlTwqAf177.bin

Intelligence

File Origin
# of uploads :
2
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-22 15:35:48 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
23 of 30 (76.67%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
0f9f76e8ffa64b600745b99b8f7b51cfa151299424e6523995c6c0bcd7a5cd6b
GuLoader
2b06bef1e11a4116301fd6fe39fee4f1a131cff248ba8e1213335161f51385f9
GuLoader
6da928194ba7abbc975b4b7ce1415b1fc7787a459f137ce07498920fd740bf68
GuLoader
705359998910a71e56cde4f359ad4ae767d0182b45f46615ebcbaa969fe5c5c5
GuLoader
9620e9e95846fd7b21206464f6e5493290e869a425887621835ecc2a0de82101
GuLoader
9767731cae5b82c792fc165a9f024425866ca4fbde32b2dd4e9ac6fe12bc3548
GuLoader
a32c37dd601a6fcdd6e622b2c928c7ef7935a77a0df9a2dfb9c7774630dd266e
GuLoader
b6815b7c6bd39d114da295e839d472997b073db3d57429aadad20bb73c7b47c2
GuLoader
c7552fe5ed044011aa09aebd5769b2b9f3df0faa8adaab42ef3bfff35f5190aa
GuLoader
da9905dfd7e60f5a61bd23a3820c461bb67d59f5dafea80ee20f838871c9ce83
GuLoader
+ 490 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-631t2k7sje/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks QEMU agent state file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

gz 60d73d403158b2d410a20a399b55983504489e5b3b85ef4ce4f3fd0cc1cc0499

GuLoader

Executable exe 5fc23e159d21753ca7140091700214b2c277d0f94e80280b58bbfda43930e7d2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/366788/
  
Dropped by
MD5 3ca0f81d598b3e10d7356531cbedbf48
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 60d73d403158b2d410a20a399b55983504489e5b3b85ef4ce4f3fd0cc1cc0499

Comments