MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 435de432f3870ad1349db6a830ef797597e19630c8439d7d61b2ce2524e9da33. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 435de432f3870ad1349db6a830ef797597e19630c8439d7d61b2ce2524e9da33
SHA3-384 hash: 4ceb29fb603b3a825047f83984811540b54612ed2f3a08af43dc104f3f8dbce352910b0dc7f451383c0027fd39c34729
SHA1 hash: 52571bb2d13aa6d35810e82814a344083dc5a6c5
MD5 hash: 093c59590eba1b4324a1c8220d07c545
humanhash: island-indigo-robin-burger
File name:PO-6843-217-Order-Quote.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:110'592 bytes
First seen:2020-05-26 07:40:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d9be9ab1bcb02ce294f62f0a1ff71f04 (1 x GuLoader)
ssdeep 1536:dGaR0U/96iPJO2sgg4abdxEbA7YoRdrgDKCmNE6NHlY0tOp1v3:dGViPQEbKYWrgDKCEE6NM
Threatray 319 similar samples on MalwareBazaar
TLSH 83B3F713B5D8BC91ED112FB01FD59EA50E27FC266D905B03F64FB76D293A2A50FA1208
Reporter abuse_ch
Tags:exe geo GuLoader KOR


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: mail-smail-vm46.hanmail.net
Sending IP: 203.133.180.234
From: 김대곤 <dgkim@rpmtech.co.kr>
Subject: 견적 요청 (친절하게 견적)
Attachment: PO-6843-217-Order-Quote.img (contains "PO-6843-217-Order-Quote.exe")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=1uu9s2DGGuZZ2tphyA_t6iL3f5aF1HXUM

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/5640/
Result
Threat name:
GuLoader Lokibot
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/362001
Behaviour
Behavior Graph:
n/a
Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-25 02:01:04 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
22 of 30 (73.33%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
0e3d83f664a5147b54de0323cf7319099cf4e214a074ba76c3cdc566f475eee3
GuLoader
1da069d39e2e88c624698760567c4019ca2de990b05c429be843355a0531b51a
GuLoader
38c4baea01347f88b497f928343cb19d1e68a693369da7cecdde067281e26fa9
GuLoader
3aa51ec61736aeeb1f90d430d696ee1c27ab773afec909da129fd171ba895f3e
GuLoader
3c2fb53051873bdd9f851e47352dd4b303241a0224f458040dd5d06ac242cc7d
GuLoader
6bb00f89a53da0f161e6f2872b315221fdabc16975afedb7364685263487bd1c
GuLoader
926ec7dc836ef4afe00029fa18c2dcf7ed49b41b24d884dfe6173c63a0329b50
GuLoader
afccd20b616b002619cc6e6135729cf2b85f381524d76ecaa4ba764a8144236b
GuLoader
b022be4adc35569368e23da7b344c4f9a4ce9efffaf1013d1fc778cb2b58f67f
GuLoader
b1bfc64b0b5890c39650f9ec6a12bb8b7c4b84654de8898d694f199f359b12a5
GuLoader
+ 309 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-xkvfphzz22/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks QEMU agent state file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

img aa3e6aa1da234a7a0f266d6720e02bde0c5bae44ecd4f25477449bfc710bfb26

GuLoader

Executable exe 435de432f3870ad1349db6a830ef797597e19630c8439d7d61b2ce2524e9da33

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/368620/
  
Dropped by
MD5 254704b73eb0df6f16aa3de20cabc650
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 aa3e6aa1da234a7a0f266d6720e02bde0c5bae44ecd4f25477449bfc710bfb26
Cape
Cape
https://www.capesandbox.com/analysis/5640/

Comments