MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9edf9f4b9af50cf91f5cf08494f0374a29452d26e71438eb5d05b66cad0558d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9edf9f4b9af50cf91f5cf08494f0374a29452d26e71438eb5d05b66cad0558d3
SHA3-384 hash: adad899d64f7469d710ea81b0e24e9d5203977b42e44aa42b6d6a31c32969b298651be0fb03b6193426b7ade04da4c50
SHA1 hash: 3218eb59c5638683fe8176a2ad61eeb9d8a904e4
MD5 hash: be68e55e33f3b1462deac12f241702f0
humanhash: avocado-cup-five-october
File name:Swift Copy #05262020.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:114'688 bytes
First seen:2020-05-26 15:28:38 UTC
Last seen:2020-05-26 17:03:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 563465cdaf5affd917eed019aae20e19 (2 x GuLoader)
ssdeep 1536:7vDurbwCpFtLqFzdYPsmTIL0VXDIndGP7ai7hgLtv1Yif:zDuHhpFtLqFzdYPsqIL0VXDDPWQKuG
Threatray 316 similar samples on MalwareBazaar
TLSH 75B3F71B78A05CF3EC7C8BF358B2C5590E666E086D0B4B1779C6FE5C65721CB68A0386
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: digamma.host-in-europe.com
Sending IP: 62.75.189.83
From: kudinova@otis.kz
Subject: payment advice/Quotation
Attachment: Swift Copy 05262020.zip (contains "Swift Copy #05262020.exe")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=1Gf_55MdLxRl8DVWnj82K3cd9rQa9b0bL

Intelligence

File Origin
# of uploads :
2
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/4931/
Detection(s):
SecuriteInfo.com.Variant.Ursu.879400.1551.24386.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-26 15:35:44 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
32 of 48 (66.67%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
10481c8ab9d363251e4d1aab4805df6d245621a5f10302fe5ed8cdd9f20bdc14
GuLoader
1a3223bf578249a17b6d1f8ee0ed8a5fd49690621f3ea63d0380db03f2c31e50
GuLoader
1cd2e3b696656354859e0ffdb5bca866fadf42f59c9e2da1c228e0b52fa5f368
GuLoader
254920e6788f4cb4975f08c5deef07e932f4a370a38c5197d7a4fb7846ea63ae
GuLoader
443bc33e9d28fddd4229367cde23085b8d57549093ce8e991eb4753ce58c85fe
GuLoader
8657ccc1d28108a1b54a3daa4d72f80447da75c74c51726d5f4e9cbc14efff77
GuLoader
9011468f8a2d455ad6446b9f8e277db5b7daf0becf65644ad12b94bcad401380
GuLoader
b022be4adc35569368e23da7b344c4f9a4ce9efffaf1013d1fc778cb2b58f67f
GuLoader
dda25996ab5b78fa63ab71aa304360374fe2eb6ded670c778b2c69d9fa1f1e40
GuLoader
ef8f03a25087eeab581d8439a0a19ba7148270d2210d479c1d6867fac69dc813
GuLoader
+ 306 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-f67sxkreb2/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip 2def11c221bb4eba0550040a81e69565033cbbb4975a26936e42699188212e07

GuLoader

Executable exe 9edf9f4b9af50cf91f5cf08494f0374a29452d26e71438eb5d05b66cad0558d3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/369193/
  
Dropped by
MD5 d3773b2f6e3e7bd69b65a10480467d6a
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 2def11c221bb4eba0550040a81e69565033cbbb4975a26936e42699188212e07
Cape
Cape
https://www.capesandbox.com/analysis/4931/

Comments


Avatar
CAPE Sandbox commented on 2020-05-27 05:48:38 UTC

#AgentTesla V2

https://capesandbox.com/analysis/4931/