MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab4b09899d64fde8ca45f853009a739bfc0d75ad404d1cbcab7fc381169a1612. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ab4b09899d64fde8ca45f853009a739bfc0d75ad404d1cbcab7fc381169a1612
SHA3-384 hash: 5a9546e44bb3f45f48c7f1375616fed0b6ac346abd25444ef1a7f7d364a388d64eb11bdc710b07a2855eb685e52e5801
SHA1 hash: 67c85510af5b90486789468c37d1e7ff337ed596
MD5 hash: e123d87992b3a81cb61ec8570c8c27bf
humanhash: mirror-green-mars-california
File name:Ensto Purchase.bat
Download: download sample
Signature GuLoader
Create hunting rule
File size:94'208 bytes
First seen:2020-05-22 10:32:33 UTC
Last seen:2020-05-22 11:46:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 36dc0e13288e6fab5f528bcfafce34e5 (2 x GuLoader)
ssdeep 1536:q4Sy7vcFfq4NBoXVXtHY2bltYe4iv45kPqUOtytBn+:q5ycI4NBolXtHY2bltYe4i60p7nn+
Threatray 746 similar samples on MalwareBazaar
TLSH 10933A66B2A0ED62CD340FF05A71C69864A3FC3429500A173ACA7F2D2B73E4E9935357
Reporter abuse_ch
Tags:bat GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: ensto.com
Sending IP: 37.49.230.137
From: Sales <stefan.balund@ensto.com >
Subject: Ensto Purchase
Attachment: Ensto Purchase.zip (contains "Ensto Purchase.bat")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=1PZjlOPrUThioBGkEsOnfuVWp_v4jtLCU

Intelligence

File Origin
# of uploads :
3
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-22 10:37:07 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
23 of 31 (74.19%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
006bb451c7207fa375e67a1684a97136a46beea1ff74e193eb4bbf6665a0ec9b
GuLoader
09476389f92f23216cbb99cf3dce7e07deee2fdc29d63b066aef91e9b1a78197
GuLoader
5df5978473c4b77bcb6a3ec9d13f4c0e10b03a1aa82118235a6cf748f2c7809d
GuLoader
60201a00a9f96b8efea761e31e3483a7a5bfd04ad66f766b3dd7b24e00664069
GuLoader
6f47b4825836d58654b05deac55c892825a83e479c406b9b027a0dc6bd8e3938
GuLoader
9d545cae8b73e11800aaf794b2919bb8972511e4e217eaf1a51c3f38c17bb412
GuLoader
a570592bf5a21c1f55712fcec60a0536fedabe28b409d9a48fdc499185e154ff
GuLoader
c4b5846ab10b6ac87f6f176bcb8a3f76a720628fd8b1aa9d7c1f603192f67bd0
GuLoader
c884dcf4fa00359eeb51ead67cd41d9a68b71f09e3588f03456244eddaa36fa0
GuLoader
d7162b14867eff2ee6b1c0506f91c4e8c1a1cea0ddae632bd49156a179549772
GuLoader
+ 736 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-h2ga2kdm4e/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks QEMU agent state file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip ebdfd6bc0923ac8ad7769946a9e332cc9c2f6139cdf978bdb430eb39191c5659

GuLoader

Executable exe ab4b09899d64fde8ca45f853009a739bfc0d75ad404d1cbcab7fc381169a1612

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/366536/
  
Dropped by
MD5 fba7ed8082c9aa4b66b267d9530477a1
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 ebdfd6bc0923ac8ad7769946a9e332cc9c2f6139cdf978bdb430eb39191c5659

Comments