MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 705359998910a71e56cde4f359ad4ae767d0182b45f46615ebcbaa969fe5c5c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 705359998910a71e56cde4f359ad4ae767d0182b45f46615ebcbaa969fe5c5c5
SHA3-384 hash: f7ce5c08c0a53ee1d4775983edeab5fd4c3952b8dfb74a97a01a1fac81bc9778e16437a23ceb894e54d6b376ab155eda
SHA1 hash: 1094188d48201e842d47a5b5cf94ec297598ef21
MD5 hash: 1cb505f7019930f98a5934145b82e659
humanhash: seventeen-stream-fish-iowa
File name:gunzipped
Download: download sample
Signature GuLoader
Create hunting rule
File size:114'688 bytes
First seen:2020-05-27 16:47:22 UTC
Last seen:2020-05-27 17:50:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3f8a09f98b8d1cc870a5f24d80773cc9 (1 x GuLoader)
ssdeep 768:Hg5/OjXVqbu496j0P7DGvuo10p7cr0XdT2h4bF4gMJu0dRsuuJKie+gOAAlJZxYC:Hh2L6HdOdT2WbagmDyIi6OAqN
Threatray 74 similar samples on MalwareBazaar
TLSH B3B32917B5908C72ED24CFF1097289A51C23BD382C542F1BB549BB4E3EB25DD6BA431A
Reporter abuse_ch
Tags:GuLoader HSBC


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: merbabu.utama.id
Sending IP: 202.51.253.120
From: HSBC BANK ADVICE <Communications@mail.hsbcnet.hsbc.com>
Subject: HSBC Beneficiary Payments Advice (COVID-19 IS REAL!! STAY SAFE)
Attachment: HSBC PAYMENT SLIP.gz (contains "gunzipped")

GuLoader payload URLs:
https://kinansreview.com/build_NEW_gLpjIcLUO232.bin
https://cmdtech.com.vn/build_NEW_gLpjIcLUO232.bin

Intelligence

File Origin
# of uploads :
2
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/5730/
Detection(s):
SecuriteInfo.com.Trojan.Agent.ERMZ.15488.9631.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-27 05:36:13 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
23 of 30 (76.67%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
07a9d94f0bcc45ac835d85d49807b711521442d887256bcd7664e95fa8898c21
GuLoader
0f9f76e8ffa64b600745b99b8f7b51cfa151299424e6523995c6c0bcd7a5cd6b
GuLoader
5fc23e159d21753ca7140091700214b2c277d0f94e80280b58bbfda43930e7d2
GuLoader
6da928194ba7abbc975b4b7ce1415b1fc7787a459f137ce07498920fd740bf68
GuLoader
83acd77bd1b76095992046c1cd53fd0fb4f0ae9f22f410facf174f4e1ce2f475
GuLoader
9620e9e95846fd7b21206464f6e5493290e869a425887621835ecc2a0de82101
GuLoader
9767731cae5b82c792fc165a9f024425866ca4fbde32b2dd4e9ac6fe12bc3548
GuLoader
9bc42c118c6cc7a45c18fc844e0e132c28cfe4f90380f8a6e1305a798b3d15fb
GuLoader
a32c37dd601a6fcdd6e622b2c928c7ef7935a77a0df9a2dfb9c7774630dd266e
GuLoader
afa6acb992c2a3a3ee436a4627f8f5e0feed8e6a77dfa4ed6715069f12aef650
GuLoader
+ 64 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-9vmxh7345j/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

gz a4edcfb91b67e41529a7ceabaa048ed00168cc3ecb95d11280f9db8f6ef1cfe1

GuLoader

Executable exe 705359998910a71e56cde4f359ad4ae767d0182b45f46615ebcbaa969fe5c5c5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/369924/
  
Dropped by
MD5 f460f9dfb8290487fa9c6e54134edda6
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 a4edcfb91b67e41529a7ceabaa048ed00168cc3ecb95d11280f9db8f6ef1cfe1
Cape
Cape
https://www.capesandbox.com/analysis/5730/

Comments