MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1de9da3a2c6effe9e9eae16a0d70fc19c633e479073f308a666665b0628e866b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1de9da3a2c6effe9e9eae16a0d70fc19c633e479073f308a666665b0628e866b
SHA3-384 hash: 46e44362a63054e30b3161c173d82bcd143ef675ead77f62fe0277ec6d909897cdd75ba460c1f1f1172d8422c58b10a6
SHA1 hash: 1390acba53fefde01571fc15a3e3f0971c254ec1
MD5 hash: ecfce5d3e49d2ad94acc1f5dd630b2b3
humanhash: equal-bacon-vegan-steak
File name:RFQ.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:55'040 bytes
First seen:2020-05-25 13:31:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash cb7633a39e79f118d19fae837c581534 (1 x GuLoader)
ssdeep 768:NEleQqBEhsUw0dzKxqeUi5yj0SdfhQxrtFSxf49FOcL:dLBE1niqu5evAxYf4u0
Threatray 5'471 similar samples on MalwareBazaar
TLSH 4B3319E0F1F4513BD3B7DD70DE7282D405BF3D7C6609841B1A50B5CE0A79A08EA6A62B
Reporter abuse_ch
Tags:exe geo GuLoader KOR

Code Signing Certificate

Organisation:Astigmatomete9
Issuer:Astigmatomete9
Algorithm:sha256WithRSAEncryption
Valid from:May 25 01:33:19 2020 GMT
Valid to:May 25 01:33:19 2021 GMT
Serial number: 00
Intelligence: 325 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 42CF9FEB27EC4F50AC107BA9CEF9CBB304D8AFD6CDED53827F70F913C75736B4
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: navy.com
Sending IP: 173.82.106.230
From: Lee <emil@haroldbray.ga>
Subject: Fwd: Ningbo Zhenhe - 9K Oil tanker - Butterfly valve 견적 요청 건
Attachment: Ningbo Zhenhe - 9K Oil tanker - Butterfly valve.IMG (contains "RFQ.exe")

GuLoader payload URL:
http://37.72.175.206/bin_wbVGYxNay136.bin

Intelligence

File Origin
# of uploads :
1
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/5561/
Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-25 13:36:41 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
14 of 48 (29.17%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
2427c640fc5ca5313c85c5a956571afdb1543d5964d3ce536b61262d73a9eaaa
GuLoader
47f80b494b4feb2ae4e346836ebe6e4b1b8137e7c20ff4668c020e35e4f45000
GuLoader
5628310c6fe718d77dadbc5c8cb6238faa27942517b590c2a87c07aadca429d6
GuLoader
7f6459ace4d6259e61c8170563af8a30f25568457902f4f717c8ad17574efab6
GuLoader
8556575140ee35421e573d86cf9e34e1062e3e6718e7c7b0059de1502b6d6d61
GuLoader
91ccab55a241292f119e41c55467b08fd4fdade44fe0f9a36b5ad66848491c46
GuLoader
c0e1210ec3e11a5d71cdbf2edfb199539f891a1bdb27ccd97eaf0fb70891c615
GuLoader
ceec91127018aba0be51981277015baf08e3f0ef6fbd0a5efe5821fa698ba645
GuLoader
ebb1d3f1ac0d238e6eb3ae96d4ebc49fb5a38c8669e74e65145c858339211dc7
GuLoader
f38d170b1da421aa60e778a64fec953d3058336f7cb06568ba7926495fe87f0c
GuLoader
+ 5'461 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-61gfb99hva/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks QEMU agent state file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

img 259ee24655f78dc8318c20a56afe9612be8d2359599eb61cbdb1ade9c8a54c5d

GuLoader

Executable exe 1de9da3a2c6effe9e9eae16a0d70fc19c633e479073f308a666665b0628e866b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/366495/
  
Dropped by
MD5 65e0c434c0373ea7095f6a6633752894
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 259ee24655f78dc8318c20a56afe9612be8d2359599eb61cbdb1ade9c8a54c5d
Cape
Cape
https://www.capesandbox.com/analysis/5561/

Comments