MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 983a50787533f7fb48c7aeccfe0cc8ea3b16a76a39b22a1668ef800ed56556f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 983a50787533f7fb48c7aeccfe0cc8ea3b16a76a39b22a1668ef800ed56556f6
SHA3-384 hash: 5cb014dd416f6e60f38c89206b8482843e81bed96bebcba56c2e9f6aa48f46bb2bf8779e483dacf5f3dc49116da0aacc
SHA1 hash: 51e94467206ad81d83e09778d933a9acf38c7fd0
MD5 hash: 3cb26ab452084ced5af98ff70990c4b1
humanhash: saturn-eleven-grey-bluebird
File name:gunzipped
Download: download sample
Signature GuLoader
Create hunting rule
File size:110'592 bytes
First seen:2020-06-03 17:56:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b800ef2c9fbeb7001a0f6fff93283c54 (2 x GuLoader)
ssdeep 1536:ajSPfxV40oX0iH9yynZIekgrKHxLdGKc+o0FDHdZ1gImt2cxrYGwcBw:LPXokidyGZZKVdhjFD9zyRYcBw
Threatray 2'282 similar samples on MalwareBazaar
TLSH 75B38C07FC4D8653C1444BBC2D179E793B1DAA0D4D406BDF7175AEABAE322421CA712E
Reporter abuse_ch
Tags:GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: mail.oryxaviation.com
Sending IP: 167.114.52.9
From: ADE (MR) <ocean.import1@yamato.com>
Subject: RE: ADJUSTMENT // PRE ALERT AT INDONESIA NYK FUJI V.084S LCL TO JKT YGLNGO004466 // YIF-FW-19004159/
Attachment: shipping documents.gz (contains "gunzipped")

GuLoader payload URL:
https://kinansreview.com/build_NEW_gLpjIcLUO232.bin
https://cmdtech.com.vn/build_NEW_gLpjIcLUO232.bin

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/6406/
Detection(s):
Win.Dropper.NetWire-7996875-0
Create hunting rule

Win.Malware.Razy-7997182-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-06-03 18:35:35 UTC
AV detection:
32 of 48 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ta5fa6dvgp37wsghv3gp4dgi5i5rnj3khgzcufti56aa5vlfk33a._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
guloader
Create hunting rule
Similar samples:
0f9f76e8ffa64b600745b99b8f7b51cfa151299424e6523995c6c0bcd7a5cd6b
GuLoader
136951ab2919602366049b534cc5159e1d6da7bc46a9131ce292dcefaf05c449
GuLoader
439b4bf202d997d215433860e0b2e2ccf9a53dde53f3c4a0482450d4550c4edf
GuLoader
a604cb5bd365ad6662b63b91c891d9af6c02a4fd89d29d6ad775d9401b31ac14
GuLoader
ad64a6eaa5d2494a4161158792e7cde3fb7d9a7bd36f06cc0de271192582f439
GuLoader
b584d8b69ef7c3f2689e4cecbec9932b84ca55e03c87b1aa9a9b9f56a1ba6c94
GuLoader
bee2e75a7187b8d59c62e37425a14998512cdc6d5cf0023151ad071f0750f4c7
GuLoader
c1f40574d76ccbf75a61e6bbd123b59d1c384cd2c8d435cbbb2bc54211615e3d
GuLoader
f96524898a01e5bad30e3d007cd96ba787a25419141210042df0bff2afab6a02
GuLoader
fa905ffdb00ec8867a003c49ebfa43f6ff96b890c40b3fe31b0fc40bb344ded0
GuLoader
+ 2'272 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-q5gfgrknl6/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

8b95db042f8687d11bc5ea7c68fb85b3

GuLoader

Executable exe 983a50787533f7fb48c7aeccfe0cc8ea3b16a76a39b22a1668ef800ed56556f6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/369924/
  
Dropped by
MD5 8b95db042f8687d11bc5ea7c68fb85b3
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/6406/

Comments