MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ecab33f5998dc995c200750f575b8571ae2a9d00b8264ed557be2d651230064e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ecab33f5998dc995c200750f575b8571ae2a9d00b8264ed557be2d651230064e
SHA3-384 hash: 2a8b6c4ff8862f1005a0fdd7d9304877fcbf5b99b82e6d00b105b069d3c477113c9f5e1dbeadb595e805aebe05c21f1b
SHA1 hash: 6bbdba1ed1ec32544a023e70dc68957b7e1406c4
MD5 hash: 769e0e66e0f9a1724da3940d7fee3b26
humanhash: sixteen-equal-burger-snake
File name:NEW PURCHASE ORDER_22052020_pdf.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:94'208 bytes
First seen:2020-05-22 10:14:54 UTC
Last seen:2020-05-22 10:52:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6cf58b1adf4cbdd1e2c075ffe9b6b2ec (1 x GuLoader)
ssdeep 768:HCtSL+0pqPL2E9mvGFGNSN23bxZxFkUMcgt8THohxu9+HJj0lt1dzujp:QSL+n2ERgSN23fxFPM6H+JSt1dzcp
Threatray 1'610 similar samples on MalwareBazaar
TLSH 6F932B1276B2D8A6C7208BF15A32876875F3BD319A294E0734CA3B1D2D33F0D9669717
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: s1.smallhost.in
Sending IP: 103.46.239.70
From: lbbakes@rabdos.co.za
Subject: RE: (Urgent) Vessel_5748- Arrest on court Order
Attachment: NEW PURCHASE ORDER_22052020_pdf.arj (contains "NEW PURCHASE ORDER_22052020_pdf.exe")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=1QHr-1JPHjLiZaEeJT-6RGU0abR7Nf5Wb

Intelligence

File Origin
# of uploads :
2
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Rdn
Create hunting rule
Status:
Malicious
First seen:
2020-05-22 10:37:19 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
23 of 31 (74.19%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
guloader
Create hunting rule
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
13393c26e42a0d09bbd796f3f9b5109dc0d2e7ff7bd7f4aac0aa0c879c5c123c
GuLoader
2215802f5deb432f07a1aeebb7eeeffdf18cc5a035b0315ea693b08a4dbf942d
GuLoader
5f8025bc323e672da091a43d6d7ddf8cc6d9e880ddefde5955d0cbafd0092c83
GuLoader
69e3e7a0726435f1d48dc9d56db3a3759fb038b9c8b7506ce48e5efc5460d839
GuLoader
7a3acd412036e1f071595f9ee144d45ee7dcc0a6f4fb8c6ed45022ec423e6061
GuLoader
803e96c5dc273ebc317b62354c790742fbb9807ee577e52790f293ed8298dde9
GuLoader
85efd0b4c3bb6232c4e075e99c46574b564785b0bdfa1b8bd91805922d91cef3
GuLoader
893ef71a58da9c450161aa56fddb97cd0e9c377f94a55e1d71a42569ee085de3
GuLoader
b5f6c2a230e8c24dd4859e076e8802d5785c6af1056388a3bb660d091c1437ac
GuLoader
fa4d6e0887210c5f967d3349942cd846130e5c3c227e56cb0782ec4bc0d9bea5
GuLoader
+ 1'600 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-ysgw5ar7gj/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks QEMU agent state file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip 6619464c4f87b94065a75d7f9f33fb63dfc11c7f5251a2d90952ee725393b516

GuLoader

Executable exe ecab33f5998dc995c200750f575b8571ae2a9d00b8264ed557be2d651230064e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/366527/
  
Dropped by
MD5 785654c8b2517fcbe112bf04ce92f20e
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 6619464c4f87b94065a75d7f9f33fb63dfc11c7f5251a2d90952ee725393b516

Comments