MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6431e6867f99822d3db78c6414571041c14b194fc6363aec5618180b492389ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	6431e6867f99822d3db78c6414571041c14b194fc6363aec5618180b492389ba
SHA3-384 hash:	1d708d393b764ba55bfcdb8272ff3c55a86432c31e6ddbff2bc5eba824918924333b4c5f62777236e94b8b34d1a5244f
SHA1 hash:	e58d8fe88f4449c2f3fd6f9d93357815ae8822a6
MD5 hash:	5da43e05439c2e58186770b58058fc3d
humanhash:	london-kentucky-wyoming-alpha
File name:	5da43e05439c2e58186770b58058fc3d.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	106'496 bytes
First seen:	2020-05-21 08:38:31 UTC
Last seen:	2020-05-21 09:51:38 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	440beb04e75b7aa5b7d57e843bf636d5 (1 x GuLoader)
ssdeep	1536:Yy2mnDq5sCN6zic7gaGnCK0NJBparY7XdP:N2mnGP8zi4JoY7R
Threatray	5'109 similar samples on MalwareBazaar
TLSH	5CA318A3F4F8A861EA2A4AFE9536EAA4171FAC790531C58F30C5B68C15F3752B534307
Reporter	abuse_ch
Tags:	exe GuLoader

abuse_ch

GuLoader payload URL:
https://thyssnkrupp.com/bin_zwjFTxRJOD192.bin

Intelligence

File Origin

# of uploads :

2

# of downloads :

83

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.DownLoader33.43427.4975.6226.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Injector

Status:

Malicious

First seen:

2020-05-20 19:07:00 UTC

AV detection:

15 of 31 (48.39%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=mqy6nbt7tgbc2pnxrrsbivyqihauwgkpyy3dv3cwdamawsjdrg5a._file

Verdict:

malicious

Label(s):

guloader

Similar samples:

00983a8176276beea115d21fef7919c49b29b96d78dbc2151cc04cc7d8c95b35

0725fa234dd7f9bdcbcd0eef96c79017200f5c27676e4126a00c6d33e6601a5a

0ffe3a2c15dd0469d00b515316cdf09ae0e6b4dbbffe106297cf7f7d0d1b8197

172842029f8937753e79843e36fcb4715c0f3a9de4b256585847df48caf8e10f

22d5036d18a7dbaf7a67487165b4bca434220d5d066ba9f74bc1ad20eb37290a

347aa505ad319b4d8ee54aabe34dfc2af12b4747af23c6b635821ba9aedd0e32

4c1fe4c0f5d8d1277036802c83df3e083b31318dfc2c194ce93b7169d7ba6e3d

54828c080b94bdbf7bc08ff7a3fc69fa5a91d1b067d2997af8ef60c0304b4aed

5ea463243b051351c219469515fb9b39d01c5c3c4f4698bd6164e36070622d35

839856ed87695990bbed8a508ff2645ad729f46753fe487a286361a15aa2ea94

+ 5'099 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-x5bzyh5pwn/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks QEMU agent state file

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

URLhaus

https://urlhaus.abuse.ch/url/365676/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample