MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce13b6969219a3acc2cd23208f987f4a2f6779b6bd34bfc22c6f35946cf2fad7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ce13b6969219a3acc2cd23208f987f4a2f6779b6bd34bfc22c6f35946cf2fad7
SHA3-384 hash: 096dea6f35e84a056546d7f6599333583b7523be9f78277c4a765c9647afe49f0c3cd5966fb47f9c10212269fd5b8305
SHA1 hash: 75f961ce9a4e66fc5e4a1171a2f20fd75cf21bf8
MD5 hash: c81999ecbf702c3071b1a6abe3c6a1aa
humanhash: lima-cup-kitten-fruit
File name:Order#2256215M_pdf.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:90'112 bytes
First seen:2020-05-22 15:03:26 UTC
Last seen:2020-05-22 15:48:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5b0da6c1de945a710ef5ef13e4b8e91c (4 x GuLoader, 1 x Loki)
ssdeep 768:6ByGGf1TZySoO//YsIz2Y5cU/Gg74WN7WswjpO0kMwoX24vQrRItu3cpnroSR:kK9TZjv/XA26B74oWsMpO0Go7Tnrl
Threatray 840 similar samples on MalwareBazaar
TLSH 43933B157DA8ECB2CC104EB55D26D59412EBBD313D4A8F0F388A3B1C3A775F26A16326
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: qq.com
Sending IP: 183.3.255.184
From: Sales <reservations@ss-wq.com>
Reply-To: pay@sh-soa.com
Subject: New Order (Urgent)
Attachment: Order2256215M_pdf.zip (contains "Order#2256215M_pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Variant.Ursu.878098.20061.25433.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-22 15:35:58 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
30 of 48 (62.50%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
086ab996f2bb9fa2f10f83ddf23cd48f7855572f82493c1c59dd000e12bf0435
GuLoader
54cc3426c8ad3f2d39543a8157843620af7108ea419589cc6755e77a31b96047
GuLoader
6575a80b5fa70f2b72b0c5270e4bf316efbdda166b73267a783ebe8a56f3cd1e
GuLoader
a5f48830c6c2130726fbd6d9a382e3965d2730cb54d902097916fc45ad89bae4
GuLoader
a8f6089ef9fc867169c92b6134d5b9c8199e39b1141bd7028489ddca343e122d
GuLoader
b46e01055760bbf07abe355f36103fbd4dce23998dc1313a9a0d45c43b288898
GuLoader
bec18daded64039e7f698c13a680ff36863de1012f85dfb4bd496e51055e181a
GuLoader
d73498e0aabb97375783af491aded66aa6710ba848247de3337f404fa02a35c0
GuLoader
d7cc89d17f793556280377caf787bc0654b467ae8c2da092c28def150cb51885
GuLoader
fdafb44be84ea918c76a99f4c24c08fbe8de6648a4ad73614f77450aa2b43484
GuLoader
+ 830 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/201109-zs7f1d4cza/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks QEMU agent state file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip 0119e714f6b46e4790dd3944850a5d3fa8b147e258389b17fd900406b9adb5ca

GuLoader

Executable exe ce13b6969219a3acc2cd23208f987f4a2f6779b6bd34bfc22c6f35946cf2fad7

(this sample)

  
Dropped by
MD5 340eb44b60732938b5451bd1fa610e5a
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 0119e714f6b46e4790dd3944850a5d3fa8b147e258389b17fd900406b9adb5ca

Comments