MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cebea74a88247dc212934829df2370dee3adf5c9acfa6888021067db6c54686d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cebea74a88247dc212934829df2370dee3adf5c9acfa6888021067db6c54686d
SHA3-384 hash: 253b0a1cd3d7583220d509aa47fbb6a9397d68bc70ed95394a76a220d512cc73590ba7aa7f8b86022715d4257999c8f1
SHA1 hash: 26b3e7393ad7411efd49098bf1bb2d72ffcbba5a
MD5 hash: b907f17841f58060b10a5ca6f7e3df42
humanhash: missouri-potato-shade-moon
File name:Purchase Order.scr
Download: download sample
Signature GuLoader
Create hunting rule
File size:126'976 bytes
First seen:2020-05-26 07:53:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c7115423f4fcdd131093345bb8195f0f (1 x GuLoader)
ssdeep 1536:vM41fQusQ3kE7if225CzjfnhJ/Le2KJQAaf16s/6Wf5+8l+ubW:kEsQ3z7mz5k/6295ouS
Threatray 241 similar samples on MalwareBazaar
TLSH D3C33A2771D80CA1F9585EB54C2799972E1BEC35B4101B2F364AFB1D32372DA7AB031A
Reporter abuse_ch
Tags:GuLoader scr


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: reseller1.global.ba
Sending IP: 185.99.1.115
From: Sam Stagg <mightyspraying@gmail.com>
Subject: PURCHASE ORDER
Attachment: Purchase Order.zip (contains "Purchase Order.scr")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=1Vn27mhyk6AiNL91otZHYI2-WbTb7KrT4

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/5653/
Detection(s):
SecuriteInfo.com.generic.ml.14164.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-05-26 01:29:00 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
20 of 31 (64.52%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
01f0b05574fcb3c10aa17fcbc2543497c2b7a6747e06e34e5e30070a2ce51bdb
GuLoader
1d452b5f3e5d2b6623d0ca35793dfc051e1bf8b237e360906ed055e819235604
GuLoader
563ee97396c60bb7d587d98e95d68109cfe9b0a924860bee678e1e4da196bb64
GuLoader
5da7735fc8be010eaed89e5776cabe530402d4c6d0c6e5c5de515f12e05081f8
GuLoader
a7cfec855ead8a33902aab33c3c217fbc6fe9fb372c4c8d0c1aec4b493736bf5
GuLoader
a9ab46452a78667dfb767d2bf2507c607d818463c8a0b8d87cf3b79335247a3e
GuLoader
b4bbfec518b34f417680149af477857ce1a27aa23eaceb4eb99d62230e376ba9
GuLoader
d8dbe0a74ff4d70f5633f8177f37c14cd1586d7a658ecf72d05f59261e8ad016
GuLoader
e0a34b9c420ddd930b3f89c13c3f564907dd948e88f668a0fe55ce506220bd73
GuLoader
ee86f083fdb8d5e2f4d1d609faf964fa08a01875bc0abb364aeb09bb83c35f8c
GuLoader
+ 231 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/201109-hmaelmbb42/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip bbbaa04d916364ce9dc7d7795432fdc08ec3cf2cb201ba839acd675ff02a48d0

GuLoader

Executable exe cebea74a88247dc212934829df2370dee3adf5c9acfa6888021067db6c54686d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/368703/
  
Dropped by
MD5 8a2690716ebf8020417fcf856a4b8611
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 bbbaa04d916364ce9dc7d7795432fdc08ec3cf2cb201ba839acd675ff02a48d0
Cape
Cape
https://www.capesandbox.com/analysis/5653/

Comments