MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17f52dbf63e20cb471e6da579551830186446d814a14162ec3569c62fb6f0771. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 17f52dbf63e20cb471e6da579551830186446d814a14162ec3569c62fb6f0771
SHA3-384 hash: fdd5700e6c45992a038f7c7c8d0a8db5cfd86ec8cf10ed0803396831a71107ce6ae65c58c365987694412870c2ca59e8
SHA1 hash: 4e14f148c44d2afa65170500bae38456aeea6dc5
MD5 hash: fe1c36e91d10b9362bb6ccd908cd4179
humanhash: floor-helium-fix-michigan
File name:Purchase Order.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:110'592 bytes
First seen:2020-06-03 13:32:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1cc5e4409f9ce2ba12b08f9a89c6a2f8 (8 x GuLoader)
ssdeep 1536:ISPfxV40l9TeyzyXXIoYeqkxfkgrKHxLdGKc+o0FDHdZ1gIV7H07rbmF1+I4FC:RPXlBeXXIoYeDKVdhjFD9zh+XbFC
Threatray 1'127 similar samples on MalwareBazaar
TLSH 23B37B13ED4D8A53D1144BBE2D174EB97B1EAD1C0C405BEF64367E9B6E312422DAB20E
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: teyseer-services.com
Sending IP: 104.168.141.201
From: Khadirulla Shariff <khadirulla.shariff@teyseer-services.com>
Reply-To: Khadirulla Shariff <khadirulla.shariff@teyseer-services.com>
Subject: Purchase Order
Attachment: Purchase Order.img (contains "Purchase Order.exe")

GuLoader payload URL:
http://192.119.64.226/ccv.bin

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/6331/
Detection(s):
Win.Dropper.NetWire-7996875-0
Create hunting rule

Win.Malware.Razy-7997182-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-06-03 10:36:32 UTC
AV detection:
20 of 31 (64.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=c72s3p3d4igli4pg3jlzkumdagdei3mbjikbmlwdk2ogf63pa5yq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
15187de4f29194c60f3f199549c345592e967ee8ecf9a39b0a40c1796fdb222c
GuLoader
24ebf6b9c1e61b3bdf58d0678683a8cae05860849a4d8b58a089af47a5ef67f7
GuLoader
3e3529db8cde73fcdb792f6414ebe6fb9a6ec5ba5cf5f503376a795387b2020e
GuLoader
6535df8dcbd659939c18a93ee2b58e8ef05898e1baa30932cf3cfa876659d183
GuLoader
6715e87f7070a2d7b5b2c71e98a7bade689a504aed3b95654af3494248a501d4
GuLoader
877f342fa777bd70c1308b545ddaff6e70d9a8840c819713e34fcef56e736630
GuLoader
c42ae355f2541ec7be30e51b1fcb50a1c7d8b0d6afa717dab533369cb5a69011
GuLoader
c8e91120db97c2cc33d799fb33cefcb6e199cb68c824500f22ec8fc1736a90b4
GuLoader
dbf51889fb95ed46a824128ef165335d4662021bd8974f850e168478b77fe3cc
GuLoader
ea12fb909266d6a6f7315c8ffe0fcedb6b63ba660cd91e7c2ac4e6db14596171
GuLoader
+ 1'117 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/201109-5bgb4qh3yj/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

img 5acdbf474d5ba6e5efc471bcab0791b8de9413cb442c6a2c775166d85184d64e

GuLoader

Executable exe 17f52dbf63e20cb471e6da579551830186446d814a14162ec3569c62fb6f0771

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/376033/
  
Dropped by
MD5 0ac3d65ebab27fe36365d82a789faf37
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 5acdbf474d5ba6e5efc471bcab0791b8de9413cb442c6a2c775166d85184d64e
Cape
Cape
https://www.capesandbox.com/analysis/6331/

Comments