MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7bdb44b6363e3b185573f4c7e08e78201174fd692f18fc2882a95f8ba455bb5e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7bdb44b6363e3b185573f4c7e08e78201174fd692f18fc2882a95f8ba455bb5e
SHA3-384 hash: e56cb197c4c5a5fd04706255a9000c2fc98d6edd8863d1610014d85ab5152268a77293df8d0d792a9d95aadf086aff56
SHA1 hash: 48ce440544095185ac297a883be9c488351b21dc
MD5 hash: be23cd55fa0069ffa5e2b7f8877e3e2e
humanhash: lima-cat-batman-venus
File name:Reminder Notice for Payment Defaulter.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:131'072 bytes
First seen:2020-06-04 15:54:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6aca85abac7b07eacba61a62e69d2fd8 (1 x GuLoader)
ssdeep 3072:9KfEcuDynSaCmjHotk3PV55hkXufBymrwiGirVq:9KscuDNKjIS3PV6ErwiTr
Threatray 942 similar samples on MalwareBazaar
TLSH 89D35A033D5DCB15D19419F17CA39C9E3A1B6A0C9E4027AF1085AFEFAD70291ACD662F
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: kra.go.ke
Sending IP: 103.207.38.152
From: <admin.itax2@kra.go.ke>
Subject: Reminder Notice for Payment Defaulter for Obligation Value Added Tax (VAT) and period 01/01/2020 to 31/01/2020
Attachment: Reminder Notice for Payment Defaulter.zip (contains "Reminder Notice for Payment Defaulter.exe")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=1CITKldez66BgvXXT9ylfqvoseGuL_n4d

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/6571/
Detection(s):
Win.Malware.Guloader-8002906-0
Create hunting rule

Gathering data
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-06-04 14:06:29 UTC
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ppnujnrwhy5rqvlt6td6bdtyeaixj7ljf4mpykecvfpyxjcvxnpa._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
18dc7ad4fd5ffd0ec8b8f12884b41f3ace4e2ba95f704175ebf0a0eead74ba36
GuLoader
65ab725aa981b93b5f3ca28ea8f5257235f6974abe8fb5b03086cc1f9c6aa41b
GuLoader
6b264d7bac7b64c40d89c0e35016ce95f78a90f4f098fc3c1116217c98fe544a
GuLoader
82d32f5841ba04262e4b1a15d798cfbd69a4bc9ebd37caf3573818e7a2140639
GuLoader
898abdb2d9de0344e5b43ac7e4330faeb03d97aa0a3c37e0a37da0ed4d732e9b
GuLoader
8e4cb68e8910042eeb4f5f4588a5a76df31cc6b0be9ad55165ced088afc23201
GuLoader
96487abb17fc905506f1be48d51ea17bb652515d8e5f40a4f524daebe98a6efa
GuLoader
98cbe4d5b07975cd7f0b7a23296b918264585dce46b2c1844a9f52640c03d2a6
GuLoader
c1ffff1b0912fbb00db8b8eb08b6c181a924a31cd806257604980be2d371092c
GuLoader
d7e975690cea31ddff67f92f89ee45cf24f09d9e3f7e91b8f3ee6305d23e52d5
GuLoader
+ 932 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-qlrty53dne/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip 5be931631728bae2a1c9c82e8257cffb950b804c8ad28075da587ec04bf56d02

GuLoader

Executable exe 7bdb44b6363e3b185573f4c7e08e78201174fd692f18fc2882a95f8ba455bb5e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/379327/
  
Dropped by
MD5 01f32d6463e407c27dc292249bd08500
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 5be931631728bae2a1c9c82e8257cffb950b804c8ad28075da587ec04bf56d02
Cape
Cape
https://www.capesandbox.com/analysis/6571/

Comments