MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca9d9bba55a17ac5f0a879efb36f842d2068f0c9844fb8e1285156cfb720d740. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ca9d9bba55a17ac5f0a879efb36f842d2068f0c9844fb8e1285156cfb720d740
SHA3-384 hash: 8126343781f8384f55ae2670db7e8b6ca61f8ac12498fe75c5942c2ba61e7b33fad83da711d0ee8b8c7568a5f4294d05
SHA1 hash: a57859e60363b4ffc3f1cc78f2e0e0bc734cd13d
MD5 hash: 3660289fd74bd36e8acb51ab5b3b94f9
humanhash: eleven-robin-twenty-timing
File name:INVOICE.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:94'208 bytes
First seen:2020-05-22 10:19:10 UTC
Last seen:2020-05-22 10:52:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e962f8212a952da5e058314d60017983 (2 x GuLoader)
ssdeep 768:a50uqMtLGyQIoHfRPlFLytesVmDn/1uEmho8V5lBEEjhcXSTDY3vp:A0PMgI8JLLytRVo83hvEUcR
Threatray 210 similar samples on MalwareBazaar
TLSH 6893F726BA80DC73C5300FF15A728288507BACB1DB214F4BB9DA3B1DA53614D6B7539B
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: seed.net.tw
Sending IP: 139.175.54.24
From: Mauricio Mier <mamier@eldorado.com.uy>
Subject: SIGNED INVOICE
Attachment: INVOICE.r00 (contains "INVOICE.exe")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=1czd409N3punnxOPYasYBPh1On5hUEnTu

Intelligence

File Origin
# of uploads :
2
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Netwire
Create hunting rule
Status:
Malicious
First seen:
2020-05-22 10:37:13 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
22 of 48 (45.83%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
20450686b8930d7bdd00981e6766d1c7c51fbe06f4e3f8e32e29fa4cd8cdc307
GuLoader
20be0c183bcbe3cf8b803b2afa2a87fddd7ec2adc68666fa29eb15c77292a0b9
GuLoader
2514cc0d95a79227b308e5834eb780ba105109fcc7fc02fc11ef3a03e61cac46
GuLoader
42895dc552049d3cfd80ced83d8e2fbfc30adc3799e3748aa5f9e7df32373a58
GuLoader
4408001ae2b6c11aa2c25f77fea7d8c2118d7eac3f8409246be40b7549b408d0
GuLoader
4a1ccc4107466c1cc4454548d16cce5b1104177af32a60ffdf07d5af5f9141ca
GuLoader
98078521ebb6c3291b2dd3b05fb3b33ecc1d096d6eb70b319d5574281a970128
GuLoader
9b4235ad000e2c60ee36599e355a2f7102a4b943db1075e02ff1036c0bc0ccda
GuLoader
a58514d885d493ebb627f107f0a3ded181311e153038fdc1626323bbea512f47
GuLoader
b022be4adc35569368e23da7b344c4f9a4ce9efffaf1013d1fc778cb2b58f67f
GuLoader
+ 200 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-7yqtnwaqd6/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks QEMU agent state file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

r00 9b424c556dc46aed0946b4e919ba0f0a8905ac7d0a6ff33c82f5e795b6c324fc

GuLoader

Executable exe ca9d9bba55a17ac5f0a879efb36f842d2068f0c9844fb8e1285156cfb720d740

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/366524/
  
Dropped by
MD5 73839b60a129ee62c874929024b569ea
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 9b424c556dc46aed0946b4e919ba0f0a8905ac7d0a6ff33c82f5e795b6c324fc

Comments