MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b26b6fd030ce29451797859444a1bd9e0a717b06a2909406e68edf183887632e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 3

Intelligence 3 IOCs YARA File information Comments

SHA256 hash:	b26b6fd030ce29451797859444a1bd9e0a717b06a2909406e68edf183887632e
SHA3-384 hash:	9602cad4ad0fd8d38e8a133bd75ce12580bb006df210d23d16650093fb07c3bd86c92be26dd0a19bb67a2c302a2287d6
SHA1 hash:	e17dbb455e14b3c2069b038c3acd63056639470b
MD5 hash:	3315a2082a25adf267d208e8da056d22
humanhash:	white-grey-oranges-high
File name:	KOMERC.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	61'440 bytes
First seen:	2020-05-22 09:48:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a07281b34d71598860d0f482cbb74f66 (1 x GuLoader)
ssdeep	768:pY2rdozugSQbGRh/2mlRO7ytCXgqbAa4z3Nu7/rz5:y2dcugSQbGT/2at0gBDI3t
Threatray	5'847 similar samples on MalwareBazaar
TLSH	C5533D16AA99DC72D6AD47F22E304BE80027BC30199ACE079745397D1B33F4ED5A8397
Reporter	abuse_ch
Tags:	exe GuLoader

abuse_ch

Malspam distributing GuLoader:

HELO: yisun.co
Sending IP: 111.90.159.196
From: Zhaohui Liu <liu@yisun.co>
Subject: AW: YANCHENG- ORDER GOOCE
Attachment: KOMERC.rar (contains "KOMERC.exe")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=1OJhlL8Uk9dGI3niYQPd41SrhsC_DT2P9

Intelligence

File Origin

# of uploads :

1

# of downloads :

71

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Threat name:

Win32.Trojan.Injector

Status:

Malicious

First seen:

2020-05-22 00:24:36 UTC

File Type:

PE (Exe)

Extracted files:

6

AV detection:

19 of 30 (63.33%)

Threat level:

5/5

Verdict:

malicious

Label(s):

guloader

Similar samples:

2d15cd4ea7c6a5ff5f7f47acfedf52c6cb081a5791f8aa03a9a88636b58550ca

49fd1fd4167dc08352e383bd51337af9206603336040aadacc85fe5a9226ce6e

4e68480fbf23cd8b7efedd98614f1cd26032b955b4fc721e6622c62e4bb9f447

6c7d10402361556d564ce74e16a05024a4e0ad31da03b98fb69d4f7c0079730f

ba988eeaeef4b7e706308c40094dd0fe2146918e0386565cc2a14243e3f0aa69

d18ed67b05d0bbd6dfaba77a6053c92674bfef8abc8c7aae7c17f703adc6ea5c

d19a1337bd1fd3534eabbbdf6db6e402de9c2996edf3b4bae1bb10e85d7b5bde

d4943254bdebb92508362f26bd91da77d2aaecbcd73f086b917055c704a993a5

f0a859474803c2ba7687f71bdc33ed9296ef1a18920d6c3fb425fc30ae266826

f46ea866a034694bb34ddd4207ae960a5e43390ca9f9ad58daf4d14c42dbbc79

+ 5'837 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-aktpcz71ma/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks QEMU agent state file

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar 5080315be29757edfe5fa4db27a78ed169471607e072d7483fe0c4cf5f81e699

exe b26b6fd030ce29451797859444a1bd9e0a717b06a2909406e68edf183887632e

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/366490/

Dropped by

MD5 1ad2a2a561b2b6629a962c79abefc8ec

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 5080315be29757edfe5fa4db27a78ed169471607e072d7483fe0c4cf5f81e699

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample