MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f833e247361f95f0686bed7fe55c6d9357837513e2edb0da3886ba850066d6c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7f833e247361f95f0686bed7fe55c6d9357837513e2edb0da3886ba850066d6c
SHA3-384 hash: a997a7510bd469fd2103b84013ac9885050e8461adcfd2e3bf0b144f5117037f04f8ef9924a22dd14222f3ec2da7b849
SHA1 hash: 69e4360fea4a650a854d0f019372ef32e73adca5
MD5 hash: 4182d8ea0c94fb08ac297b532a02d121
humanhash: gee-high-victor-salami
File name:scanned-RFQ.bat
Download: download sample
Signature GuLoader
Create hunting rule
File size:77'824 bytes
First seen:2020-06-01 10:50:38 UTC
Last seen:2020-06-01 12:25:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 74b5695712545d37236a3f305499f566 (1 x GuLoader)
ssdeep 768:NeXu0hoNumuu9qJ71qDTUZ1FlSTavf2+WvVNzlGl:Ne+vqhuIZITZLl
Threatray 1'566 similar samples on MalwareBazaar
TLSH 55730A6FBE4881B9F44589712959D166772ABC3294015F0FB2013F96A876E83BCF133B
Reporter abuse_ch
Tags:bat GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: trans-china.com
Sending IP: 103.99.1.144
From: Trans-China Logistics Co.,Ltd. <market01@trans-china.com>
Reply-To: Trans-China Logistics Co.,Ltd. <noreply@domain-admin.com>
Subject: FWD: Quote / Inquiry SN 888059-5 REF# 030502 / RFQ DOCS.
Attachment: scanned-RFQ.gz (contains "scanned-RFQ.bat")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=1wyU2cqTXrDXncPsex46feOJix7eXbc4K

Intelligence

File Origin
# of uploads :
2
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/5525/
Detection(s):
Win.Dropper.NetWire-7993073-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Androm
Create hunting rule
Status:
Malicious
First seen:
2020-06-01 01:47:00 UTC
AV detection:
18 of 31 (58.06%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=p6bt4jdtmh4v6bugx3l74vog3e2xqn2rhyxnwdndrbv2quagnvwa._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
1403d5f33c1379c32f1cb03b1c72d317b81541532647386e7aef8ba51f4c18c6
GuLoader
474233cdd3d96bddb9f6733b5345cd411ed3bc141f462d77849f1294900b0aac
GuLoader
52d3a075274a8986c3e44c30ff9037abe45f150b241f6aa48d8a4efcb467cbba
GuLoader
5344451622e4d4ac6036cdacefa0e5299843a2aee428cd643bcc663630b3b3de
GuLoader
a0da1c24eb6a23bd435cf8787a335324b0dd654bfe01ab76a41c5c3cbab48fe2
GuLoader
a0ef6565b8fed20e76a7fc22c4627c0a62b6d5bdc3b79b7901a00e236060ee2b
GuLoader
acbdc5ee4cfd910a6d94ffee791a5f62631bbf449ee4883bdd3ae6b705b652ee
GuLoader
bdfc8efb0dd8f8530002fca468d1234513bf740a9515269621a83f9af1128550
GuLoader
d99947df7b80d4cf1f998cd4c205df67be0afc6ab0d9b4d92988b1aeccc1bf0c
GuLoader
f6c4c54e5af63b2b0f393830ddbf2a985289eb9bf6cb8a65ee7d68a79ddeb7f7
GuLoader
+ 1'556 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/201109-z1ygbe8hka/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

gz 8bea01b95cc9af6185144ff48635f44f740d1ac9bcc9fefdd1e706bea4acde4e

GuLoader

Executable exe 7f833e247361f95f0686bed7fe55c6d9357837513e2edb0da3886ba850066d6c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/373174/
  
Dropped by
MD5 9d27ed8b79a0e6316bc132e1356db2e4
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 8bea01b95cc9af6185144ff48635f44f740d1ac9bcc9fefdd1e706bea4acde4e
Cape
Cape
https://www.capesandbox.com/analysis/5525/

Comments