MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c98091ed44cd76e438ce2e7a9c71b57d37ff45903d365162040af94fa143b9f5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c98091ed44cd76e438ce2e7a9c71b57d37ff45903d365162040af94fa143b9f5
SHA3-384 hash: 9cf28e3b9edb36b2574f462250a2cc22c164000ffe735930c1665545359888c7b8f2b7e8180707fbc216941bd1d97213
SHA1 hash: 3af279e0ece6cb3eb9f3dffabaf931b8e858c505
MD5 hash: d0b9d4f623f69ab7fc5dd65e7d1c18a3
humanhash: cup-may-charlie-black
File name:Mage Properties Order Receipt #2020172602US_pdf.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:176'128 bytes
First seen:2020-06-05 19:34:24 UTC
Last seen:2020-06-05 21:01:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3fa35efd0bd8f7fdae70725edc36efda (1 x GuLoader)
ssdeep 1536:g0tDrdLtwAwQOcCEMZyqaRtjwDwvmOFHzTXdzC9CnvxqvMrI91QDWuAnhv:gYrdhvwQGEjNRtUEuOlzTXZLqt1+6nhv
Threatray 911 similar samples on MalwareBazaar
TLSH BB04D31BB81DCB9DE2544EF1F97251F11669AF17FA40292FB6C0FE6C71B009C28816E6
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: raikenservices.tech
Sending IP: 137.220.33.175
From: payment@raikenservices.tech
Subject: RE:Payment confirmed! Mage properties #2020172602US has been shipped
Attachment: Mage Properties Order Receipt 2020172602US_pdf.img (contains "Mage Properties Order Receipt #2020172602US_pdf.exe")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=13NDO4qABwhAw52XplbpeSGPdCx-zP9cG

Intelligence

File Origin
# of uploads :
2
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/6809/
Detection(s):
SecuriteInfo.com.Variant.Ursu.791968.3614.24055.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Infostealer.PonyStealer
Create hunting rule
Status:
Malicious
First seen:
2020-06-05 19:36:11 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zgajd3kezv3oiogofz5jy4nvpu376rmqhu3fcyqebl4u7ikdxh2q._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
229d8d98a701a24e93b4e374092a5ce767fb859ffbc243cea9c1486b871dd4fb
GuLoader
2ba0f2e22ed07ca3188c898a0c9256fd30e878916ebe669ed52b25cb18d5ccde
GuLoader
335d8ed00053696daafe3bf49972b52e1db2588c913d6de0e14e6fcd158d90c5
GuLoader
57bb966172a1d6bc994a682ef5da9b8b8fdabef539f44024c7e9368e6416d457
GuLoader
72eb2dc730e3574dcb204d37fcfb35cf91bacd8087d6028d743cb0992c874244
GuLoader
96ffe97ffd555e8f1329ba24b40cba5320d5bc1ef51fb0155b9dea55bf842487
GuLoader
b022be4adc35569368e23da7b344c4f9a4ce9efffaf1013d1fc778cb2b58f67f
GuLoader
c1ccf8689de88be32890345e454df2f1fa90e1e4033c0f63425001af42f7aef5
GuLoader
de5da2008e231c60a227d6700248953651e0242542f07027e400760283b91d42
GuLoader
e35d5297a515ddf23ac671f6110bb8f01a590e13d45dbeae5e96e0be414236b5
GuLoader
+ 901 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-bf5d9a67cs/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

img 56411e9984cfc62c18bb642ce1df394415c2067df561ed8b33b9b76063e440de

GuLoader

Executable exe c98091ed44cd76e438ce2e7a9c71b57d37ff45903d365162040af94fa143b9f5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/382354/
  
Dropped by
MD5 8526f46e04fd45d7a64be9587751db36
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 56411e9984cfc62c18bb642ce1df394415c2067df561ed8b33b9b76063e440de
Cape
Cape
https://www.capesandbox.com/analysis/6809/

Comments