MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 505b27720a5499f84595328400b6ee1df8858b567f4f3e5da4e57d9f589ef930. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 505b27720a5499f84595328400b6ee1df8858b567f4f3e5da4e57d9f589ef930
SHA3-384 hash: f486ac5c346d679685624a894e7bbea2f74aac0c7945a973dfb02fa3da1d776bf2457074aec12557e1c35c7929c69b55
SHA1 hash: 3eb1fabe11bdbed1749a7c2ee82d7014ca986682
MD5 hash: 83f0deb0cdccb9fd660443b7556081b9
humanhash: idaho-cat-whiskey-paris
File name:Quotation.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:98'304 bytes
First seen:2020-05-21 08:49:46 UTC
Last seen:2020-05-21 09:51:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a0b15fc489fdb876a71703cf4e6557e1 (1 x GuLoader)
ssdeep 768:IrWcBI3zG3BTdCbjBdclY/LjYPDgSX5H0RhEpDthWTel:RsJ8BKlSLjYPDg65HWiZWTo
Threatray 5'119 similar samples on MalwareBazaar
TLSH 04A31961F6D0AD61C5D487FE6E54CB6881AFAC340921CA0B36D73F5E09F2B91AC2174B
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: mail2.prosyst.com.br
Sending IP: 177.204.19.137
From: 销售经理 <diego.zapella@prosyst.com.br>
Subject: 要求报价和价格N95 / FFP2
Attachment: file.jpeg.img (contains "Quotation.exe")

GuLoader payload URL:
http://45.132.241.148/tt/bin_yjlzNiXBnc226.bin

Intelligence

File Origin
# of uploads :
2
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.48012.32174.26909.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-21 07:53:57 UTC
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kbnso4qkksm7qrmvgkcabnxodx4ilc2wp5ht4xne4v6z6we67eya._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
17ccd5b98d29f09cde5b49fee52602ac5e95c462c68f09c5f07d12d8a8cd8e0f
GuLoader
2a40a9e18303875b2db452783190820001c898e8374864fec29793bf43bbe401
GuLoader
422670a2b56da6d5ce753d8b6d50d7ccef1667ea8526875583a58509ac227ed3
GuLoader
7f6459ace4d6259e61c8170563af8a30f25568457902f4f717c8ad17574efab6
GuLoader
9daa8e87928b88143b9482b989764524754c86d142027ccaad1fc452f52c1765
GuLoader
a85f53a7ad2f536d245e47535007f2bceacfa10f08d7f3f6568781dd1794caa0
GuLoader
a91c5af7a94238bb1556b641b9f5bc7798133b3d699a9f3d5b88b8f8fc12f091
GuLoader
b9cd83c667b694ec10f884183b138beeb0f986a7d3c50af463535852f2fa0663
GuLoader
d1e9ede488849faab5eb3e767704a4644cc79e6eaac8fe996d90fa164e68f620
GuLoader
f38d170b1da421aa60e778a64fec953d3058336f7cb06568ba7926495fe87f0c
GuLoader
+ 5'109 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-1jfxftb5ya/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks QEMU agent state file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

img f698def74a7c9cf8da55c527484a139df75baa5d1f71ac305bec51631b633266

GuLoader

Executable exe 505b27720a5499f84595328400b6ee1df8858b567f4f3e5da4e57d9f589ef930

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/365794/
  
Dropped by
MD5 e9284f360b9b0a5f7b7cff65ef73babf
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 f698def74a7c9cf8da55c527484a139df75baa5d1f71ac305bec51631b633266
  
URLhaus
https://urlhaus.abuse.ch/url/365830/

Comments