MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6c57e2f4dfc204c1e9768a3c722cda303af4795c7272a0b94b308cfe8c9c97b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e6c57e2f4dfc204c1e9768a3c722cda303af4795c7272a0b94b308cfe8c9c97b
SHA3-384 hash: 48fd6056affb7b9937139d6d10dabe8301eac76d9018b15af0c8628dd270b6b6b6e97721ff9a4fc4d639fb45be15a3f4
SHA1 hash: cc074792ed6de5fde9168d2f2da063827a0ced9f
MD5 hash: e06c5c39d35a0ebafbb3dc1d5e709bc7
humanhash: pip-sixteen-salami-kitten
File name:swift-pdf.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:114'688 bytes
First seen:2020-05-27 16:46:45 UTC
Last seen:2020-05-27 17:50:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a7daba2b3ecf3ae562fac78c93051925 (1 x GuLoader)
ssdeep 768:yCezDC/zDOOWq6zikEc4ne8qM8qMIL6ef7z26+iVnQnxuw1OMf/opkeNi4Jd4hAD:iCrrcik0Eg5f7z2KV2swFf/XeNu1k
Threatray 267 similar samples on MalwareBazaar
TLSH F0B31813F5A85D71FCA48BF5087289952D72BE392E291F077609FB0E19335CA2B60327
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: mailgate08.ps.kz
Sending IP: 78.40.108.8
From: qaqc2@umirzak.kz
Subject: swift payment confirmation for PES50406 invoice TSF20010001
Attachment: PES50406 invoice TSF20010001.pdf.arj (contains "swift-pdf.exe")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=16_HEi9EIbQ_7YEOXUK6yg7Dgymc7naVU

Intelligence

File Origin
# of uploads :
2
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/5728/
Detection(s):
SecuriteInfo.com.Variant.Jaik.40167.5739.27220.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-27 03:27:56 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
1d117728ec260d80f6c6a347c4c32c965c69ff10bd4f08444fc70e82eebb1094
GuLoader
1d7f1bd2e98ab61ef9f350289c83791d4da1463576ea3591b8cf3b9228f506ab
GuLoader
3371cb1ea5c1990f19e0141454e418ba8e30d70c140d5f4cd3e797aa80a9bb9c
GuLoader
39e6a374774392541d763a447932461156263e643508c7958416023115d3ff61
GuLoader
74be8ec7f1c7a53246ebfbf34940e271ce2f12fe3d1beb10c5b6d2f03606739b
GuLoader
83c07662096e054ff35d85892e828e2f4127015e0d940e88c3c0cf30ac655bc7
GuLoader
98af60250a9e0cedaa66f04fe39c412bd0007855255547df68f5da46686c9ced
GuLoader
a937b882d7884c7b1c92377d8a708cb5e65377c1bc6d6aa923e7183c89da91dc
GuLoader
c1fc7c7bbff5e20c961978c33ad1502afb86703bf950afb2c8658a0ea43798c8
GuLoader
ef5f67e08e4f10648a4002c0cb4a45a7480498d2d2f3ca02ab6c8561992c803b
GuLoader
+ 257 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-35w12aptra/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip 84633e7f323461a440b861480367948fc481415052648ad05f334f2d876ac63e

GuLoader

Executable exe e6c57e2f4dfc204c1e9768a3c722cda303af4795c7272a0b94b308cfe8c9c97b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/369911/
  
Dropped by
MD5 f308265d920a4d5d807c8437e731a126
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 84633e7f323461a440b861480367948fc481415052648ad05f334f2d876ac63e
Cape
Cape
https://www.capesandbox.com/analysis/5728/

Comments