MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2c8251c9e4f2d470d79530e8a6e57f3a59216cf6366e97464d743d3f25e534cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2c8251c9e4f2d470d79530e8a6e57f3a59216cf6366e97464d743d3f25e534cc
SHA3-384 hash: 6a3dbdfbdd3a3be22427c17c7367087e454b0ab8031d8844e0f00d62b8c9d77e26581494618ab1354019e14a9d45a0fe
SHA1 hash: 477836af2a28280299a3268c000e7a7941b046fa
MD5 hash: f5977b0f221027db4b2b9fa4af23b877
humanhash: mars-nineteen-johnny-alaska
File name:Unhyphe4.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:77'824 bytes
First seen:2020-06-02 11:16:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 60478853a8e541d7e2952759be9d6258 (1 x GuLoader)
ssdeep 768:u3hc7416N8lBR2zl35orsP77paBHGCi75G3GRvo9RHkEtl+XdG:u3FO8lLo5oIfwBHCNG3io9RHdP+t
Threatray 881 similar samples on MalwareBazaar
TLSH F9735A236D08CA12C97047715C67C7AE2F16BC4C5A825E4F385E6EA7BB323B1AC5D11E
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: alpha.promptserver.com
Sending IP: 138.128.190.186
From: Scott Andries <sandries@ieee.org>
Reply-To: sw4629342@gmail.com, sw4629342@gmail.com
Subject: Ecoplexus - Request for Quotation - Westminster PV1 - Main Step-Up Transformer (34.5/100 kV, 50/67/83.3 MVA) - HICO
Attachment: Request for quotation.img (contains "Unhyphe4.exe")

GuLoader payload URL:
https://onedrive.live.com/download?cid=F5533CD060D35070&resid=F5533CD060D35070%21172&authkey=AEfwKi9xdeJnye4

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/6084/
Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-06-02 11:37:09 UTC
AV detection:
22 of 48 (45.83%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fsbfdspe6lkhbv4vgduknzl7hjmsc3hwgzxjorsnoq6t6jpfgtga._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
2a058410467d9a9aca36e588d9e3a0436b90b949c352f05ace83aa244e2567a2
GuLoader
30efd997c49aae97766539c72d72529b06f1e8522ea84e71758cde4ed1846921
GuLoader
36dfe939ec3ee8460a6277c78e8f360969f65cb970f829e407039f78d2aacbbe
GuLoader
4c83cd741a7210492c0146135bd247c08aac84ce75b26e520c1e74f806d71452
GuLoader
6604738347de31acf8c045750f89e3f8e1bf57e29007dbc0fd7e21fb4d7e9aa3
GuLoader
9ba9dbccef86d6630e4db6c7538eb4043232c7f234c1377eacdaa6543d2b8af3
GuLoader
a8c03f50ff8217b8e4fe7e650360a566003875d0a943af2f2b3b895908872e4a
GuLoader
d9b7293da93fe26342d47b1f00180746b3ee0ca251965e199996ad38c82fa422
GuLoader
e35d5297a515ddf23ac671f6110bb8f01a590e13d45dbeae5e96e0be414236b5
GuLoader
e4402badda18b6a4c832fcb22697a4847bb438350502975e764257027dc7f670
GuLoader
+ 871 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-76h94f9qcs/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

img a4e889f4a554ca998050f18315dd94bffbcbe9f57c7ac5332b4ec1c9d899a3e2

GuLoader

Executable exe 2c8251c9e4f2d470d79530e8a6e57f3a59216cf6366e97464d743d3f25e534cc

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/374270/
  
Dropped by
MD5 b3300d1382e40ddbc3c12e74443b0413
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/6084/
  
Dropped by
SHA256 a4e889f4a554ca998050f18315dd94bffbcbe9f57c7ac5332b4ec1c9d899a3e2

Comments