MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 98be845142b95ecbd3c9138d67e531253d822494a9359b14ddc83fde3add7996. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 3

Intelligence 3 IOCs YARA File information Comments

SHA256 hash:	98be845142b95ecbd3c9138d67e531253d822494a9359b14ddc83fde3add7996
SHA3-384 hash:	1a61f27d6d3058334ba65cb299c76fbd44bf3cedeed91ce06d8adfa5dc0d3998e66ca7d924dfbf6488f6979bd3c1e4f4
SHA1 hash:	fc522e271ec90fa99972d1642a99a35ff7b0d2d6
MD5 hash:	1ffd630d7b082499e5fdc3fb1372c38a
humanhash:	nitrogen-batman-burger-yankee
File name:	File.scr
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	131'072 bytes
First seen:	2020-05-25 13:40:59 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c0fd29652309eab0ef8f1fbedf538fa6 (1 x GuLoader)
ssdeep	1536:kZBQ5w7uyvFIN89pH9aOmJZCBj0xx1XXySQ+:KBkkFIg9aOp0DCS7
Threatray	392 similar samples on MalwareBazaar
TLSH	82D3A743F6965CB6EDB55FF0243AA5141E2BBC0518124F2B3148F76E38F239A61F436A
Reporter	abuse_ch
Tags:	GuLoader scr

abuse_ch

Malspam distributing GuLoader:

HELO: shbc10.ultina.jp
Sending IP: 218.40.207.10
From: tiemchan@technoplast.co.th
Reply-To: tiemchan@technoplast.co.th
Subject: Purchase order
Attachment: Specification materials.gz (contains "File.scr")

GuLoader payload URL:
http://creativewg.com/feedbackV4_WDSZwNs135.bin

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/5571/

Detection(s):

Win.Trojan.Nanocore-7890842-0

Gathering data

Threat name:

Win32.Trojan.Injector

Status:

Malicious

First seen:

2020-05-25 14:36:48 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 31 (54.84%)

Threat level:

2/5

Verdict:

malicious

Label(s):

guloader

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-lm7ksvl7kn/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks QEMU agent state file

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

gz 5980a42c4d6b65c5f0ddf5fe620ef09bffec35c1f5ddf7b57f9b2c1c979f6af1

GuLoader

exe 98be845142b95ecbd3c9138d67e531253d822494a9359b14ddc83fde3add7996

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/367862/

Dropped by

MD5 385b1b633b2aff43b7a92a802855c19c

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 5980a42c4d6b65c5f0ddf5fe620ef09bffec35c1f5ddf7b57f9b2c1c979f6af1

Cape

https://www.capesandbox.com/analysis/5571/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample