MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4881256521a7ace4c7ed514c229535af949d6e296e7717f76d986abb2534fcc6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4881256521a7ace4c7ed514c229535af949d6e296e7717f76d986abb2534fcc6
SHA3-384 hash: 8d0ca3b585dd9ae8befe51650fc03492004d1d471c7cbf6cae3914be30da6cc03bc46774af306ffecdc265f3410b000e
SHA1 hash: 246c0d1a8e47aa61d56ddaa9f1d42797634e9b91
MD5 hash: 2af83edda227e3ddf30fd82d8c6c193e
humanhash: five-bravo-quiet-avocado
File name:shipment #0239.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:81'920 bytes
First seen:2020-06-08 12:10:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5414628fc555030fe38530a5d38b1193 (1 x GuLoader)
ssdeep 768:wPu1aL3mNtlrHBOjfn9ns4lhpStZTHi6JJg4uVIuoP6JGt72uvcX1wB4:IuRtSD9s43pyZria5uVVxGx2u0a
Threatray 819 similar samples on MalwareBazaar
TLSH B2839D173524C542E05507B22CB39AB92A67AC3418436F8B6589BFDFF875B426CA633C
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: smtp84.iad3a.emailsrvr.com
Sending IP: 173.203.187.84
From: Sales 01 <ase.nababgonj@olympicbd.com>
Reply-To: pablo_papillon@protonmail.com
Subject: Inquiry form Tasmaine #023920
Attachment: P.O 023920.rar (contains "shipment #0239.exe")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=15q8KQY9KmW8KFlOrUmdxBVV5SN-NebUi

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/7009/
Detection(s):
SecuriteInfo.com.CLASSIC.11700.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-06-08 12:12:06 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jcaskzjbu6wojr7nkfgcffjvv6kj23rjnz3rp53ntbvlwjju7tda._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
1262d63aabec1fe6b68df348419485b7bbe4fecec2bac3cdcc4fe42b12d24d96
GuLoader
15187de4f29194c60f3f199549c345592e967ee8ecf9a39b0a40c1796fdb222c
GuLoader
187c0f3510e1435dce3980a2ef3dd20b44a694218b3ba633afe266f23cff03cb
GuLoader
61b5d789c9983fb294e4e91fdcd1487c896fbc12a0a605215a48f589b6fb4937
GuLoader
7f7f93ae7c3ce6bd7d154c2e2188bd39c7d511df8fc890e46085afc34acdba2b
GuLoader
89e54f19c04bb28c90f0ee75419a149c8178f9841435a20be727506d0c9506d3
GuLoader
8d4b6b5a3f228456841a6627f6b4fe4de260e1261e312b30b62120d5297e68c1
GuLoader
8dfca70c89e2310b9f8af5cff4ace9dc09676db2e19950afb205518c581f9627
GuLoader
a570592bf5a21c1f55712fcec60a0536fedabe28b409d9a48fdc499185e154ff
GuLoader
d894062069e0d2967a0ca5655892f29e511d37dd5de5f5dc02e7ed54f2e4fe45
GuLoader
+ 809 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-yq63sabv92/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

rar 1b189a3e39d882a37014befa213b468c9268f63d5863c8edc2dd62e7e320c00c

GuLoader

Executable exe 4881256521a7ace4c7ed514c229535af949d6e296e7717f76d986abb2534fcc6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/383143/
  
Dropped by
MD5 601c824d27ccc9007b956a15f76b3297
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/7009/
  
Dropped by
SHA256 1b189a3e39d882a37014befa213b468c9268f63d5863c8edc2dd62e7e320c00c

Comments