MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2a1dd64638dac970b58a8dc939415fcc2a4532211295f1c72370df4df91447e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2a1dd64638dac970b58a8dc939415fcc2a4532211295f1c72370df4df91447e1
SHA3-384 hash: 3b2412b9f75f9efe6dafb2d634f6ff68450cb110ce93c0efc544afbf6159bc3c6ef1b6412265a6e390664652027a69b1
SHA1 hash: f6be3082f725898a53357194011f5dfc978f8cc6
MD5 hash: a79a189da67ec2790a6b6f80e51de9b3
humanhash: yankee-mockingbird-sodium-mike
File name:tt_copyy.scr
Download: download sample
Signature GuLoader
Create hunting rule
File size:94'208 bytes
First seen:2020-06-02 11:00:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash af3e9500a572d2660920615b4ae1f9d1 (1 x GuLoader)
ssdeep 768:cvchc7416N8lBR2zgZ/zsxCxtcb7oovCaBifY1sNmnpvJry1avxSMgIHhn2tl5tj:YcFO8lLvXsoo7B9JJaIBnM
Threatray 1'425 similar samples on MalwareBazaar
TLSH E7932A07BE449201E12583711E57D26A7F25BC2A4D42AE4FB68C6E4B7B347636CAC31F
Reporter abuse_ch
Tags:GuLoader scr


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: worldwide-logistics.cn
Sending IP: 103.99.1.144
From: Worldwide Logistics Co.,Ltd. <sha.ops8@worldwide-logistics.cn>
Reply-To: Worldwide Logistics Co.,Ltd. <noreply@domain-admin.com>
Subject: RE: RE: Re[2]: Re: 20041971 振华下单 转发: 1002000308 1002000308-200324-01 巴基斯坦 CIF 海运 询价单
Attachment: tt_copyy.gz (contains "tt_copyy.scr")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=1059Hs1HiFa0HG4H69_02T1kTYmz8V7Ek

Intelligence

File Origin
# of uploads :
1
# of downloads :
68
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/6049/
Gathering data
Threat name:
Win32.Trojan.Malrep
Create hunting rule
Status:
Malicious
First seen:
2020-06-01 23:08:35 UTC
AV detection:
18 of 31 (58.06%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fio5mrry3lexbnmkrxetsqk7zqvekmrbckk7drzdodpu36iui7qq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
15187de4f29194c60f3f199549c345592e967ee8ecf9a39b0a40c1796fdb222c
GuLoader
16ea5dc52c94b89cae902c89ca1e1d5572268b83014fe2d8175061f654295ba2
GuLoader
1e04c1e4eefe23f454553364e757209462f2561d8455628b296b1dbe83fc6ec2
GuLoader
3a865f21dc1c62ee31df28d89094e9e95d480e2bc6b75b3a6543b2906d975a61
GuLoader
7f75534af5e989dd99a02227f555d7fdb4b57396b2eb8fb02eb71623b857395e
GuLoader
8eeb849d5c8c4f3e9e1d2e6bd4f1de00f3c709555c5be74534063372dc4ffa6e
GuLoader
a488990c82230074fdf4f22a014a8f05dbb2bdc055c096c4d4a28b3a8055a648
GuLoader
c1ccf8689de88be32890345e454df2f1fa90e1e4033c0f63425001af42f7aef5
GuLoader
d8893925a5d8f9574be0f322355b79372e9c58dacc1e7737223a7b96e53fe4f6
GuLoader
f4a522f673e38bf75d61a8c1c53dc48b36be2c37986259cd8ef7b605fd6716ca
GuLoader
+ 1'415 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/201109-7xfc53hr96/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

gz 239d728341174c5bf888a596090db66e69dab773ea71a619ec6acc385c5f3bb7

GuLoader

Executable exe 2a1dd64638dac970b58a8dc939415fcc2a4532211295f1c72370df4df91447e1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/373525/
  
Dropped by
MD5 ca8760da553a493c723845a870619f00
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/6049/
  
Dropped by
SHA256 239d728341174c5bf888a596090db66e69dab773ea71a619ec6acc385c5f3bb7

Comments