MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6523cec93d68e38809ee7a9da3121fd5e535d2755828f668aa507a0b0d18b1e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 3

Intelligence 3 IOCs YARA File information Comments

SHA256 hash:	6523cec93d68e38809ee7a9da3121fd5e535d2755828f668aa507a0b0d18b1e4
SHA3-384 hash:	fbb4f879d3f2a040b6bd7f0c7e8ee1c8621cc91c051e59d2ed554ead84ad1ef9fe6168e52caae097ab90a2dd660e4e89
SHA1 hash:	5b9ca74f20e9db78f159f613edf15d2596dcb8e9
MD5 hash:	76390b2700d20925f6372f1302eca538
humanhash:	magazine-lithium-network-snake
File name:	SWIFT TRANSFER COPY.pdf.bat
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	94'208 bytes
First seen:	2020-05-22 15:04:47 UTC
Last seen:	2020-05-22 15:48:50 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	c2d4474df1bb9123c0455d0bf495a4ce (1 x GuLoader)
ssdeep	768:Tz+KtZa61wBpdMJKWOXl1T/eyEXPqHIzM3HctpLPmXCN1taJxqHhxCPzmzLry98:n+3VBp2JN4XoXC3HMTxwmvt
Threatray	721 similar samples on MalwareBazaar
TLSH	C79319327690DD96E5298FB00D7687680477BD791A000F1B32CD3B5E6D33A8EAA7135B
Reporter	abuse_ch
Tags:	bat GuLoader

abuse_ch

Malspam distributing GuLoader:

HELO: pro03.emailserver.vn
Sending IP: 103.15.48.223
From: ACCOUNTING <kt_1@achison.com>
Subject: RE: Payment Receipt
Attachment: SWIFT TRANSFER COPY.pdf.r07 (contains "SWIFT TRANSFER COPY.pdf.bat")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=1zpSdW4Tji4URCA69dGKz-v62r_7LJazk

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Packer.ProtectSharewar-2

PUA.Win.Packer.ProtectSharewar-3

Gathering data

Threat name:

Win32.Trojan.Injector

Status:

Malicious

First seen:

2020-05-22 15:35:50 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 30 (66.67%)

Threat level:

5/5

Verdict:

malicious

Label(s):

guloader

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-rbhfs2k7fs/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks QEMU agent state file

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

r07 d45cb0cc3ad0cf6ffe10da946aa402b9e227fb0ac2a989e37904c8626c34c2c0

GuLoader

exe 6523cec93d68e38809ee7a9da3121fd5e535d2755828f668aa507a0b0d18b1e4

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/366785/

Dropped by

MD5 35029684e39cf6975e9f1345ea9f6b7f

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 d45cb0cc3ad0cf6ffe10da946aa402b9e227fb0ac2a989e37904c8626c34c2c0

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample