MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 31bbcec93f8b67bf3f88604f02be4ab02ef1b6b55829d864381db26848ee8773. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 3

Intelligence 3 IOCs YARA File information Comments

SHA256 hash:	31bbcec93f8b67bf3f88604f02be4ab02ef1b6b55829d864381db26848ee8773
SHA3-384 hash:	234cc24de34e2a1eac68ac2ffa0e946689791f7a5fd01a23ffbd7c115703f0cd99e896a343a2dc1e0da4446c13e62d2a
SHA1 hash:	0232d488c014528d8fbaaeadf2f6820aa7a8aa8a
MD5 hash:	3f5bdc76cf1784298f0e3cab49477f38
humanhash:	triple-thirteen-bakerloo-pasta
File name:	AS Alexela Terminal.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	110'592 bytes
First seen:	2020-05-26 07:30:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e0c654e73de81b96d982a828b6e9a756 (1 x GuLoader)
ssdeep	1536:RO2frJKHbeXEzZC55wg/PHA/UWvQo/R7/tAO+c:0deXEVBg/I/U9o/RriOZ
Threatray	5'241 similar samples on MalwareBazaar
TLSH	B9B3C516B5D59CB5E97C0FF08A71D6A02D32BC301811CF137A8EB74EE67B68598E431A
Reporter	abuse_ch
Tags:	exe GuLoader

abuse_ch

Malspam distributing GuLoader:

HELO: 162-241-215-51.unifiedlayer.com
Sending IP: 162.241.215.51
From: terminal@alexelaterminal.ee
Reply-To: terminal.alexelaterminal@email.com
Subject: AS Alexela Terminal // pakkumise taotlus //
Attachment: AS Alexela Terminal.zip (contains "AS Alexela Terminal.exe")

GuLoader payload URL:
https://copiadoras-delcentro.com/a1/bin_jaEfB9.bin

Intelligence

File Origin

# of uploads :

1

# of downloads :

72

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/5621/

Gathering data

Threat name:

Win32.Trojan.Injector

Status:

Malicious

First seen:

2020-05-25 20:00:02 UTC

File Type:

PE (Exe)

Extracted files:

6

AV detection:

20 of 31 (64.52%)

Threat level:

2/5

Verdict:

malicious

Label(s):

guloader

Similar samples:

22d5036d18a7dbaf7a67487165b4bca434220d5d066ba9f74bc1ad20eb37290a

30efd997c49aae97766539c72d72529b06f1e8522ea84e71758cde4ed1846921

344d949f94b4420c0cd7772fa786e17059d5599df223a93ef999ea2c663ad8be

4359188e33f22ea7022cb6e57a3870f2613a1c37dbc483475e02b38cde5bfa8e

45024576e848c50c9199cbfe61462e11551ec6ce99cb7ca39ae929dc77aa348f

4951d233fb87fd6036e0baadf6b91ceb91ebe5d61fc048a27949949c8476b82d

5ea463243b051351c219469515fb9b39d01c5c3c4f4698bd6164e36070622d35

897c29c75ae58e4057c0d32c3704469a7ecfa4878f5d0c60ad8abe2fa821b0b0

9d545cae8b73e11800aaf794b2919bb8972511e4e217eaf1a51c3f38c17bb412

d9ea7ed19010ef0c36ebd05d5abfd5624e21a33ad5e18ca36007671d86eba8b3

+ 5'231 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-msc3cj5k72/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks QEMU agent state file

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 33773ec8398380a43403e2670bbf33406d9e050f4f6605f3168e4a09a8fbe8f0

exe 31bbcec93f8b67bf3f88604f02be4ab02ef1b6b55829d864381db26848ee8773

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/368651/

Dropped by

MD5 5d04e1c5770d669413ba42c56be9b8cd

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 33773ec8398380a43403e2670bbf33406d9e050f4f6605f3168e4a09a8fbe8f0

Cape

Cape

https://www.capesandbox.com/analysis/5621/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample