MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ec2198d8ee3d15c25b0868d397eccb0b1b9b4c75594b64906f8251160bd07a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5ec2198d8ee3d15c25b0868d397eccb0b1b9b4c75594b64906f8251160bd07a1
SHA3-384 hash: 0fd98b8f5738854e08ee2fbcf26f4bb59234df3e15e2270472fb14f60fb800459e88b6ec9130c907b1936b25ea74b6fc
SHA1 hash: 19d3c629ca4f26719fbfb4dabc700a50b1873828
MD5 hash: d0b52d326adee515486f12b3bee90f7e
humanhash: uranus-orange-finch-pluto
File name:DL7593462,Shipment Arrival Notion,pdf.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:81'920 bytes
First seen:2020-10-23 06:23:59 UTC
Last seen:2020-10-23 07:13:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 58784c646b261918ddb8aa8da6bbb64b (1 x GuLoader)
ssdeep 768:EOxryXaHatx7n2+T39syCAW8N/GOyqy9gvujQ7mdI:EtXmatB20NCAxN/F/y9geQ7f
Threatray 561 similar samples on MalwareBazaar
TLSH 5A83F8F0ED2A5546E733D53D5622D74D42D11180F326C063B4D2A9A5A8B338C2D9AEEF
Reporter abuse_ch
Tags:DHL exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: vps.dureamprad.com
Sending IP: 45.95.170.139
From: DHL Express Cargo <delivery@dhl.com>
Subject: RV: DHL CARGO DELIVERY
Attachment: DL7593462,Shipment Arrival Notion,pdf.iso (contains "DL7593462,Shipment Arrival Notion,pdf.exe")

GuLoader payload URL:
https://szptt.co.nz/wakis/secure/DoubleGrace2020_aIAMoNT203.bin

Intelligence

File Origin
# of uploads :
2
# of downloads :
143
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/74899/
Detection(s):
SecuriteInfo.com.Gen.NN.ZevbaF.34570.fm0@aKB1@4mi.11775.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/507742
Signature
Contain functionality to detect virtual machines
Creates autostart registry keys with suspicious values (likely registry only malware)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5ec2198d8ee3d15c25b0868d397eccb0b1b9b4c75594b64906f8251160bd07a1/
Threat name:
Win32.Infostealer.PonyStealer
Create hunting rule
Status:
Malicious
First seen:
2020-10-22 23:43:13 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=l3bbtdmo4pivyjnqq2gts7wmwcy3tnghkwklmsig7asrcyf5a6qq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
1891748c2fd3821e15a519b10a34bb5372fd5601ad57fae537e4ed41ef593163
GuLoader
435de432f3870ad1349db6a830ef797597e19630c8439d7d61b2ce2524e9da33
GuLoader
448379f1a0a59fa0a84180351e48559c9ed7ea6875cdd525782b714a77a2fff9
GuLoader
570f0f28a41c3df98edb9c5301bbf8ed8924640848f3fd0a7462fed0224af93c
GuLoader
8247baad6838676fb803763c3995eb735d8535045c344349fb8cf90e9e22534d
GuLoader
89210ae907c9573298a900f88b97082c190618d64ecfa37eb5afda4615629475
GuLoader
99b13841abbf0c2bf736ab08e0e7f48cd28cab2e69eff60399de65e0eced2e68
GuLoader
b4faad2ab96b7348202784c23e871c07a7e5cc2ff7f0d83037cb26954f1bb8e3
GuLoader
cbf132a151298c2ffc66d0bb6969ca878f8c3eeca1f17dbabe854c3b343b8e11
GuLoader
febbf2119882b88d952379874d73e2c02e3816d49ded935fff81d4d24726d87c
GuLoader
+ 551 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201023-5k7rp8anex/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
5ec2198d8ee3d15c25b0868d397eccb0b1b9b4c75594b64906f8251160bd07a1
MD5 hash:
d0b52d326adee515486f12b3bee90f7e
SHA1 hash:
19d3c629ca4f26719fbfb4dabc700a50b1873828
Link:
https://www.unpac.me/results/d13e36dd-0f3b-4d9f-95fe-995dd4c78907/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

iso 55eeaee638361b2e033d022056fa067dd32a5801ac02994c2857084cd81d7ca1

GuLoader

Executable exe 5ec2198d8ee3d15c25b0868d397eccb0b1b9b4c75594b64906f8251160bd07a1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/738432/
  
Dropped by
MD5 dcb74d8670873228f86ea8219d61b5ad
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/74899/
  
Dropped by
SHA256 55eeaee638361b2e033d022056fa067dd32a5801ac02994c2857084cd81d7ca1

Comments