MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ebd6a36a1a04c51f11cf2bdddb5618da42e2839c1507e34e604627ae214c8e58. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ebd6a36a1a04c51f11cf2bdddb5618da42e2839c1507e34e604627ae214c8e58
SHA3-384 hash: b19751cae4f6c4a3a23a8a6c32ade146085d719bd839f69841b1e6c876444991fd744fe7ef810f2a3ca2d4a030b600d7
SHA1 hash: ab453bcad17608cb267cb06206801a9afe5a7c6d
MD5 hash: 997b79b9677819b7fae3597a54e081d0
humanhash: december-island-ack-berlin
File name:PO for PR-007320 PO NO-021216.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:192'512 bytes
First seen:2020-05-28 07:05:46 UTC
Last seen:2020-05-28 08:22:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 93947d1a0d2ce8742c4495b18b0683f6 (1 x GuLoader)
ssdeep 3072:ODyejKqTmgjVbAtIPgiXDvfb0CQlWsES:OOrgKIP9TvfACa
Threatray 290 similar samples on MalwareBazaar
TLSH 55143A36B671EDA5CA440978D8C1CCF80855BD25DD164E2B3AC0BF2F317A193E96A732
Reporter abuse_ch
Tags:exe GuLoader MailChannels


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: beige.elm.relay.mailchannels.net
Sending IP: 23.83.212.16
From: Yogesh Mathur (CCED) <ymathur@cced.com.om>
Reply-To: groupes.advlr@lory-rail.com
Subject: PO for PR-007320 PO NO-021216
Attachment: PO for PR-007320 PO NO-021216.gz (contains "PO for PR-007320 PO NO-021216.exe")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=1ScGzTeIGqRJQRL2YwzOUI1AKziqyT4Op

Intelligence

File Origin
# of uploads :
2
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/5209/
Detection(s):
SecuriteInfo.com.Win32.Injector.EMDX.21690.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-28 07:38:09 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
0b1dbd3162f501371ca4d99f39e0ad1631ab1d9698bf19bdd45163319fc0310b
GuLoader
160684d9f79b0e33093a76315cbe47afd4d0f27f5dadd1b6fa314d8ff8a64370
GuLoader
190d8b4baeee83f2a23ce8ed96cc57ce538bbbbed88e69bdfe131ba7438bf3cc
GuLoader
1e27314c6b097bdd158c3438bc48704f681a20d723fc2185bf431e67f8b56e9f
GuLoader
2eea12d417bbdbd859dc38307e5dfa3e90720865c81bc8ff99af0916d65e1a03
GuLoader
39599008089755aa7cccb534b2c94ccb537f266018bb67ae3ed4b9f51c0a40b9
GuLoader
5a8995e3a1c868d8f0b0c0840da1909c7fc2240699ea41a35bb04f7f8b04c9fd
GuLoader
6a6153c0ed8295d63f23fae313939e61eb3f94cd61f7a34a22a6557318f032f1
GuLoader
8f5fd43179a5ab283f7cab4fb285592a73348d2428a7034a1521fb12a1ead625
GuLoader
bd508cadaa46bd60da4540413b6ff4d2d351a7804614ed65fbe1fb211a947d38
GuLoader
+ 280 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-ggpsnl5lqe/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

gz 53954649f47d0af2b5b50e8518557d14cc893570a971a1f80035889bd5bcb7dd

GuLoader

Executable exe ebd6a36a1a04c51f11cf2bdddb5618da42e2839c1507e34e604627ae214c8e58

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/370266/
  
Dropped by
MD5 de546d73001ea9e52a8d25d4cde8df96
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 53954649f47d0af2b5b50e8518557d14cc893570a971a1f80035889bd5bcb7dd
Cape
Cape
https://www.capesandbox.com/analysis/5209/

Comments