MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 345ed143bf3a28f74de72fa62a271a67fb28ae04e6ca0fefa8eb09c7782dc3e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 345ed143bf3a28f74de72fa62a271a67fb28ae04e6ca0fefa8eb09c7782dc3e6
SHA3-384 hash: 1e9de53a8dbee2bea33495841fadd25ba7e0574dc6bbc29b6fa266d413572d3d82c0a07806a4db7ef0d3ed5b1b8259f6
SHA1 hash: c32cfb5b8bb8589e538d62be8a754a345caef6df
MD5 hash: 7d53114c389b985c3004e24220eac9fd
humanhash: ohio-georgia-quebec-yellow
File name:REVISED INVOICE DRAFT & FINAL DOCS - DHL WAYBILL 50 9081 1806_IMG.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:77'824 bytes
First seen:2020-06-02 11:10:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2e166435611e37d64fc8f86879c8c846 (1 x GuLoader)
ssdeep 768:LShc7416N8lBR2zAANwsnlXTCK9jbDaaB/hVuljSLYbvv9exJzK6ulOh:mFO8lL2wsnlXeSbBhLKv9eX
Threatray 985 similar samples on MalwareBazaar
TLSH AF732917AD08CA22D5A046701C67CBAE2F16BC0C46822F4B355E2E5FFB727B56C8D61D
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: mail2525.himayadar.org
Sending IP: 62.138.18.161
From: Allen Christopher/ Kuehne + Nagel / SIN ZP-DT <info@mail2525.himayadar.org>
Subject: FINAL DOCS + DHL WAYBILL 50 9081 1806
Attachment: REVISED INVOICE DRAFT FINAL DOCS - DHL WAYBILL 50 9081 1806.img (contains "REVISED INVOICE DRAFT & FINAL DOCS - DHL WAYBILL 50 9081 1806_IMG.exe")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=1hvfMCPoWFUWe232MEyroBTNT1bbdSqMc

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/6062/
Gathering data
Threat name:
Win32.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2020-06-03 00:50:52 UTC
AV detection:
15 of 31 (48.39%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=grpncq57hiupotphf6tcujy2m75srlqe43fa735i5me4o6bnypta._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
26fc46f356639b8fe74cd3df54e1416d07d225950c846bf166f3679152a8e5a0
GuLoader
2a058410467d9a9aca36e588d9e3a0436b90b949c352f05ace83aa244e2567a2
GuLoader
639c28cc97accffb8a92a13ad5056da2a739421ef4965e768fa57356a6685d19
GuLoader
6535df8dcbd659939c18a93ee2b58e8ef05898e1baa30932cf3cfa876659d183
GuLoader
688ac9fd686d48bc6fec56f27e814c48d7849f548ef14d763dd446b61140c388
GuLoader
7d53275640b52b08bb54259f6bc85edad2dfe30b6b5f9cea9ddc8d7469d97cd8
GuLoader
8fac7f5a497d4b313250507c1939fab835e49b75f532dea338231747784588da
GuLoader
b022be4adc35569368e23da7b344c4f9a4ce9efffaf1013d1fc778cb2b58f67f
GuLoader
cac635b83d0ee884f8d8bbce419b4c9d13273f4a10c450c2ea50830dc683e3ac
GuLoader
efecbafe7ddfe1306dac292dbd23be0caf62c5423a4c7a91086b0ca194a5e3ed
GuLoader
+ 975 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-ptw263mwgn/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

img 3d1fd7ebcf0df90e756eaac2fc543fb1c918dd579a249a7b857c1eaab2c7ace1

GuLoader

Executable exe 345ed143bf3a28f74de72fa62a271a67fb28ae04e6ca0fefa8eb09c7782dc3e6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/374440/
  
Dropped by
MD5 8e69f84bb31e1848e4dad0885d720bc1
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 3d1fd7ebcf0df90e756eaac2fc543fb1c918dd579a249a7b857c1eaab2c7ace1
Cape
Cape
https://www.capesandbox.com/analysis/6062/

Comments