MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1e9ede488849faab5eb3e767704a4644cc79e6eaac8fe996d90fa164e68f620. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	d1e9ede488849faab5eb3e767704a4644cc79e6eaac8fe996d90fa164e68f620
SHA3-384 hash:	8efadec2c6735bb26092e719ec80227975ba729a83cc2e0d7ae4953b1048c0f8e0e0a3fbfe56d86f4c72e8f4dcf3e839
SHA1 hash:	49523cc5ece4127d3b75e894338bf2a62176ab66
MD5 hash:	9193e8e6f9283a4eb9458ab27bbef804
humanhash:	arizona-orange-low-triple
File name:	DHL_AWB# 9284730931.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	81'920 bytes
First seen:	2020-06-02 11:01:01 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	6b928dcca793e27f614afbceb4cc41f0 (1 x GuLoader)
ssdeep	1536:xBpeFO8lLtiXXBBXMBlFjdcP2ub/0KMo:xzDMLcVT
Threatray	4'861 similar samples on MalwareBazaar
TLSH	618349077E4C9A12E07446702CA7D3B97F26BC1849426E4F354D6E5BBF313626CAC22E
Reporter	abuse_ch
Tags:	DHL exe GuLoader

abuse_ch

Malspam distributing GuLoader:

HELO: server.gtrit.com.my
Sending IP: 103.18.246.122
From: "DHL Express"<dhl1@dhl.com>
Subject: Original Shipment Document
Attachment: DHL_AWB 9284730931.rar (contains "DHL_AWB# 9284730931.exe")

GuLoader payload URL:
https://qif.ac.ke/flow_AoGPhiVz245.bin

Intelligence

File Origin

# of uploads :

1

# of downloads :

64

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/6051/

Gathering data

Threat name:

Win32.Trojan.Razy

Status:

Malicious

First seen:

2020-06-02 16:51:58 UTC

AV detection:

17 of 31 (54.84%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=2hu63zeiqsp2vnplhz3hobfemrgmphtovlep5glnsd5bmtti6yqa._file

Verdict:

malicious

Label(s):

guloader

Similar samples:

17ccd5b98d29f09cde5b49fee52602ac5e95c462c68f09c5f07d12d8a8cd8e0f

1e997f4144eb94f184308c7ebe6dbad709cf7151721c563e43a92d52539d4e1d

490a783bc399cb6dd9b64ecc8d0f909830fe1a351d18f148493fcdf6eefb52cd

65d993ca9f1fffaa634838468d8f9401f7f2812aa75065e9805447db5b667720

84c1cc6183b56cc7983f93d265089e781d809648f4eb6d0a7a597244009b480c

895e7e85e398a6bd3615a8453c1ed21979a2676fa84af0e53077635f812b64fc

b042e4bdfe19df2aa474fd5e2294aecc9a07d447c96466db7a7e20316d885634

b3ffcbb8279a9fd2b833c99170fd8cf01f9b5209617840dd8cc4411989d5e479

e09c2eb3f06cc722f1035d501755645c3feb569441f465ae3ba69aa4aba6ffa1

f38d170b1da421aa60e778a64fec953d3058336f7cb06568ba7926495fe87f0c

+ 4'851 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-mx2s37ltvj/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar 2ed29e69e093dd3a16eab9c02e29c5a91421fac4e0cd1c5b58f80e111b00bffb

exe d1e9ede488849faab5eb3e767704a4644cc79e6eaac8fe996d90fa164e68f620

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/365459/

Dropped by

MD5 e2e0ca347a337551b600db2edb6ff235

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/6051/

Dropped by

SHA256 2ed29e69e093dd3a16eab9c02e29c5a91421fac4e0cd1c5b58f80e111b00bffb

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample