MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd87e9c01a0bf9cc9e8df91cde201e7993643d877029edaa053dda0dd916515a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dd87e9c01a0bf9cc9e8df91cde201e7993643d877029edaa053dda0dd916515a
SHA3-384 hash: 1813e7f16c9ce7415367a6aca43da88df0c58670bd47012be309f2cb699ea7c1a2c009e6c3f2d7a024347abf4ef2066c
SHA1 hash: cb7b63a173ac789c769b5d0407499f8f6efa998b
MD5 hash: da4a4fcd067ac2340626e6bc5ee6a01b
humanhash: grey-kansas-georgia-comet
File name:prevod_2005220k8YIBR.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:110'592 bytes
First seen:2020-05-26 07:38:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1cb47d9bbcd2252a8dafd40bc51f7787 (1 x GuLoader)
ssdeep 1536:B+LUUS15gSXt9xpc18KhF3h9CoYihDVZwRm3NvY:oyC8KhH9CoYihhC
Threatray 215 similar samples on MalwareBazaar
TLSH D3B3E603B8DCEC81EC162EB11FD15AB44D12BD21AD526F03F98FBB0E6D765912BA1316
Reporter abuse_ch
Tags:exe geo GuLoader SVK


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: server.avrasyarulman.com
Sending IP: 185.239.237.91
From: nonstopbanking@vub.sk <nonstopbanking@vub.sk>
Subject: Potvrdenie o zadaní prevodu
Attachment: prevod_2005220k8YIBR.pdf.img (contains "prevod_2005220k8YIBR.exe")

GuLoader payload URL:
http://185.205.209.166/wext/n-bin_GuMUo43.bin

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/5636/
Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-25 20:36:10 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
20 of 30 (66.67%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
11124347d4a19a4f709bb4ebb2f9c12873f4f079ef3d5e60e18fa9a975302c70
GuLoader
31bbcec93f8b67bf3f88604f02be4ab02ef1b6b55829d864381db26848ee8773
GuLoader
3f0127ee22232724e7bedc05751de652d3e13a9f017ef69e2097f49fcc17b4c2
GuLoader
4308487d53d3dc60b85e3aa3ed9753591d34c0ddba9ab1da7e0e9f6117535144
GuLoader
4a1ccc4107466c1cc4454548d16cce5b1104177af32a60ffdf07d5af5f9141ca
GuLoader
4d71f1eab01045de9ae76ea248be7746bad70c12ad977eeb6e8f8e46bbce6395
GuLoader
6005ff1373b7a3600ad4b5700b4d9b6c13827015a97fea1b030189655bd8e986
GuLoader
6ee45fdfe890e0199f1c72f05fd27218c358ddce153f85d4e683d3ba72dbc2d8
GuLoader
7bf07cca387afc2d6efa371499a79223af509a0af21a1953d3e83fcf8c9554ba
GuLoader
98078521ebb6c3291b2dd3b05fb3b33ecc1d096d6eb70b319d5574281a970128
GuLoader
+ 205 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-pjnrdgbpta/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks QEMU agent state file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

img dc0ff90fa86cf8c4d22b49ba8989bba45b768ac971b83bc64deea1f0508e5f7b

GuLoader

Executable exe dd87e9c01a0bf9cc9e8df91cde201e7993643d877029edaa053dda0dd916515a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/368640/
  
Dropped by
MD5 cd92439e6d4ce89dc4b4ffb1148e83ab
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 dc0ff90fa86cf8c4d22b49ba8989bba45b768ac971b83bc64deea1f0508e5f7b
Cape
Cape
https://www.capesandbox.com/analysis/5636/

Comments