MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5014b473901c1517c80fa4229172b855af67b2f20f2e7e61bee8d21a9bb94478. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5014b473901c1517c80fa4229172b855af67b2f20f2e7e61bee8d21a9bb94478
SHA3-384 hash: f852547e3b00ba4144e8a42e389434e4da5a59f87df2a4a5851361c96720d75781c84c13eb1a02e2876ee982c39612fc
SHA1 hash: 09f1fef440b74e77b0e042382f2ba0eb50a39c0c
MD5 hash: 9349b201422e4379371e654df66f36d9
humanhash: august-freddie-queen-magnesium
File name:Payment Slip Draft.bat
Download: download sample
Signature GuLoader
Create hunting rule
File size:114'688 bytes
First seen:2020-05-22 10:19:42 UTC
Last seen:2020-05-22 10:52:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash adb28da1698b6a16e752f79d2beb4ac3 (1 x GuLoader)
ssdeep 1536:ivTyyLKKgDDqwLffBVucXY38Vaj8UNN3jUEQ:/yLFczBVFIMyzNNU
Threatray 385 similar samples on MalwareBazaar
TLSH 07B31A51B7D0AC67DDEC4DF25A724294E2EFBC3E6802570B27CAB60EC533480A6517A7
Reporter abuse_ch
Tags:bat GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: mx.shi-ig.com
Sending IP: 217.61.123.234
From: Account Department <jeff@shi-ig.com>
Subject: Re:SWIFT CONFIRMATION DETAILS payment commitment
Attachment: Payment Slip Draft.zip (contains "Payment Slip Draft.bat")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=1d8617kLZCNQGn2EFatz6wpYYeqeclOOG

Intelligence

File Origin
# of uploads :
2
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Grp
Create hunting rule
Status:
Malicious
First seen:
2020-05-22 04:26:36 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
23 of 48 (47.92%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
0e11032c40b88ae18b88c56392c3e7468971f9c0d19a422c1d626bed2133219e
GuLoader
2090ef501bf30eff58e65ff4491b5a913e5e105ff952b6d26b3e5ccf9e251cc9
GuLoader
2eb11af6d3282bc293586d723b4f411157975c6a7464bc7fecb0f11a2c8951bd
GuLoader
305a2d609d4d34967a53c2f44b9c48acd3e683ac3be396bdb359ba0398da7a75
GuLoader
6c47beb6dad9fa342b607b9868de8560ede70fc5cf2819c0269c5d6fd6c961bf
GuLoader
91317bfa0133687ff1ed62c9f259ffd823a8e64efa34ab6c98ab4e748b497029
GuLoader
99a25991c82e15ee5b4db6c8aaa9b11193b2c293e1e4951e4e4cdd8a4c853670
GuLoader
b0240d2ab275a142c3ba13632ebb00fd6cba189613ca85e4d800eb640ef0cd9f
GuLoader
ca73b141e59412b434f105fef26227cea43190fbf99e7be806f00b9b9f7a9428
GuLoader
e7cf4a0d3f94afea480bf5e64a658029d02191330244697ba9afd81dd5b56386
GuLoader
+ 375 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-g1vxperx7x/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks QEMU agent state file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip 38d3ac2f0ca1e37cbcd4b9fecf8a4396d29a4f183fe848042d1287e12bf23bf0

GuLoader

Executable exe 5014b473901c1517c80fa4229172b855af67b2f20f2e7e61bee8d21a9bb94478

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/366520/
  
Dropped by
MD5 2efabc4257442e4fb53a17eac44dbe02
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 38d3ac2f0ca1e37cbcd4b9fecf8a4396d29a4f183fe848042d1287e12bf23bf0

Comments