MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 69e3e7a0726435f1d48dc9d56db3a3759fb038b9c8b7506ce48e5efc5460d839. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 69e3e7a0726435f1d48dc9d56db3a3759fb038b9c8b7506ce48e5efc5460d839
SHA3-384 hash: feca7fd3be62b5551f6b252c255d48ef56f41551fb9e42c640bb37d7d9222664170c2fa651557fdceaf9dbc05840a317
SHA1 hash: f7f97cfb4aaf029efd2a1c3006ba7135d6b88326
MD5 hash: 136249853c8c2103b17e948c66168e35
humanhash: carbon-fourteen-victor-butter
File name:SHIPPING DOCUMENTS_PDF.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:94'208 bytes
First seen:2020-05-22 15:04:12 UTC
Last seen:2020-05-22 15:48:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b248f6a6360434f12b4832a8033762f3 (1 x GuLoader)
ssdeep 768:QqyHDegrrbGjL+jljhlhn9n/hoVGRxp+F5u/TOHVB13stbOqjy:hyjegrkL+j1h/n9y8O1PQyAy
Threatray 1'759 similar samples on MalwareBazaar
TLSH FC933A32FAA4DC72CD244BF21D3A479410ABEE301E824A1778C63B9D35325CDA9B5797
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: mail.nwiran.com
Sending IP: 185.94.98.43
From: NORMAN LOGISTICS LTD <info@kts-me.com>
Subject: Confirm change in Goods destination
Attachment: SHIPPING DOCUMENTS_PDF.arj (contains "SHIPPING DOCUMENTS_PDF.exe")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=16pdtfZQsIuTKlvUWbPTFf7qt38rdyUVy

Intelligence

File Origin
# of uploads :
2
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-22 12:20:35 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
guloader
Create hunting rule
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
122256cada458b72697ddcda3d76cb49671318a2e38e898f7f38aeb6f1a19cab
GuLoader
13393c26e42a0d09bbd796f3f9b5109dc0d2e7ff7bd7f4aac0aa0c879c5c123c
GuLoader
2215802f5deb432f07a1aeebb7eeeffdf18cc5a035b0315ea693b08a4dbf942d
GuLoader
5f8025bc323e672da091a43d6d7ddf8cc6d9e880ddefde5955d0cbafd0092c83
GuLoader
7a3acd412036e1f071595f9ee144d45ee7dcc0a6f4fb8c6ed45022ec423e6061
GuLoader
803e96c5dc273ebc317b62354c790742fbb9807ee577e52790f293ed8298dde9
GuLoader
85efd0b4c3bb6232c4e075e99c46574b564785b0bdfa1b8bd91805922d91cef3
GuLoader
b5f6c2a230e8c24dd4859e076e8802d5785c6af1056388a3bb660d091c1437ac
GuLoader
ecab33f5998dc995c200750f575b8571ae2a9d00b8264ed557be2d651230064e
GuLoader
fa4d6e0887210c5f967d3349942cd846130e5c3c227e56cb0782ec4bc0d9bea5
GuLoader
+ 1'749 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-s6vh8flk52/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks QEMU agent state file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip 23fe280af4a8b387ed617ea616788b25767e6d14892735cf98652b96959cc84f

GuLoader

Executable exe 69e3e7a0726435f1d48dc9d56db3a3759fb038b9c8b7506ce48e5efc5460d839

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/366485/
  
Dropped by
MD5 fc5952542f0659abccef6ff0689bc3fc
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 23fe280af4a8b387ed617ea616788b25767e6d14892735cf98652b96959cc84f

Comments