MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 37a3468d527e22a4cdd0c1e8717a5bca60db2cd8aaace1a4d25b65eeccd8079c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	37a3468d527e22a4cdd0c1e8717a5bca60db2cd8aaace1a4d25b65eeccd8079c
SHA3-384 hash:	aba3ab6298d894872e2b31c89295bfb6eea4668d20b9c0f8752bd1d720f6195d10309e810a08e7658e6138d8b8d727e7
SHA1 hash:	a9292e500ea7a3797c176e63d512f680ce8d1de9
MD5 hash:	fa9c3546895fdbe453ebead002291750
humanhash:	william-pennsylvania-aspen-mississippi
File name:	Z1100ST5N.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	73'728 bytes
First seen:	2020-06-08 09:20:05 UTC
Last seen:	2020-06-08 10:22:07 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	eb9d4dda2dcb1fff1fabbe1c9117e527 (3 x GuLoader)
ssdeep	1536:KflN7G7lhKRCCDf4Mnr+mLHfLKiQjgCFM8:KjkfYuca
Threatray	1'168 similar samples on MalwareBazaar
TLSH	2F732823BBD09573C61486B50F7197D4063BFC3019A98A072D57BA9F3A76D468C3931B
Reporter	abuse_ch
Tags:	exe GuLoader

abuse_ch

Malspam distributing GuLoader:

HELO: yuntong-batt.co
Sending IP: 111.90.141.203
From: Tongfei Wang <wang@yuntong-batt.co>
Subject: RE: INQUIRY FOR DTR
Attachment: Z1100ST5N.rar (contains "Z1100ST5N.exe")

GuLoader payload URL:
http://111.90.148.217/mazo_WzdQAtYOZ233.bin

Intelligence

File Origin

# of uploads :

2

# of downloads :

86

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/6962/

Detection(s):

SecuriteInfo.com.FileRepMalware.17891.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Vebzenpak

Status:

Malicious

First seen:

2020-06-08 05:02:51 UTC

AV detection:

21 of 31 (67.74%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=g6rundkspyrkjtoqyhuhc6s3zjqnwlgyvkwodjgslns65tgya6oa._file

Verdict:

malicious

Label(s):

guloader

Similar samples:

0ec3c68f6fa845bcc40ea35365aa204f7e8bdf8010ea20dec2e3ea3f46838e02

10e5aba7f34c9acff9ff3bd7d959fd719ca6327dc09f5dbdd976167ad6304f9c

3667b7518f2634bfd589f12fe1fd6e7ec1701030529dd3ece0b04705e76e5e06

5c86fcf32d1f15a745dd2f39989630ac310d1aee52af7b5f762f75f8855879ab

a0c5ec02160570545c6eb2b81cbff1db49cbce0d90ba6e567b42e1a3e3a7076c

a570592bf5a21c1f55712fcec60a0536fedabe28b409d9a48fdc499185e154ff

bbb38a432f7eff2a12b72c3ed853e937fbf5d7b9bd23b9f8ab61beb6bd594c10

c688c6b0f5bd44c8d37e810000892ce8d0e2225f1dd04a92d454fd60c7cdc779

da52dddf3fb5de8859dd962bc96eeb267fc4e723682c3defec35672be1441e5e

ddf6f04276c1d976e62e199e6c928fb7a3d7aaec455a1859f8d8f605c89ffc64

+ 1'158 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-x129h116v6/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar 7ee50b3ae0cdf30990165bdbbe0193de842a56b4ad32d353884f68246bf7c72f

exe 37a3468d527e22a4cdd0c1e8717a5bca60db2cd8aaace1a4d25b65eeccd8079c

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/383077/

Dropped by

MD5 9761848f2ccf5899a4d4686e174f1f6a

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 7ee50b3ae0cdf30990165bdbbe0193de842a56b4ad32d353884f68246bf7c72f

Cape

Cape

https://www.capesandbox.com/analysis/6962/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample