MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 da6fd7aeb4a04410109f9f170589fe5262a1922a7dabc5b7b26e0af00dcdaba3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: da6fd7aeb4a04410109f9f170589fe5262a1922a7dabc5b7b26e0af00dcdaba3
SHA3-384 hash: ea064fedddca2f1edf09741709df8ab0709a38ffe20493413c1300f264b939c46038026e3fcbb72690737fc4cbdb970c
SHA1 hash: b3eea10f0c0d760509b3fb1fb76a38d55a440db3
MD5 hash: 6b808ea745af2ea71cf74b533fbb0fa7
humanhash: mirror-coffee-three-video
File name:HSBC Payment Advice.bat
Download: download sample
Signature GuLoader
Create hunting rule
File size:102'400 bytes
First seen:2020-05-21 10:26:15 UTC
Last seen:2020-05-21 12:24:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5fad988257abba147eb4e1867fc879d8 (1 x GuLoader)
ssdeep 768:FJgLO9HayvVrl+WevxAPVwwGezdK2l7eer4SryDavUqdN4dHwdEJN3nsh+v5p+lm:TPw2Xa24ezdK2AY4SGDEKdHeInUblmx
Threatray 5'302 similar samples on MalwareBazaar
TLSH 9BA309217690EC75D65889F19DA45AE420FFAC343A028F0B65C77B2D2973B81F52239F
Reporter abuse_ch
Tags:bat GuLoader HSBC


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: server.katherinefashions-inc.com
Sending IP: 65.75.147.158
From: HSBC Advising Service <info@hsbc.com>
Subject: Payment Advice - Ref: [HSBC105702520] / Priority payment / Customer Ref:[PI1007057QT20]
Attachment: HSBC Payment Advice.iso (contains "HSBC Payment Advice.bat")

GuLoader payload URL:
http://www.mailserverservices.info/bin_hEJPi68.bin

Intelligence

File Origin
# of uploads :
2
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Gen.NN.ZevbaF.34122.gm0@a4P94Aai.26926.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-21 10:37:15 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
20 of 31 (64.52%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3jx5plvuubcbaee7t4lqlcp6kjrkderkpwv4ln5snyfpadonvorq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
0e319c36c39c8504a0349445b2282bc450758b7e670a3477c0653b1daafffaff
GuLoader
308336495b7fa2af7107a520ec1fdcaac4a0d615e0ecfd8ddd6090c72c3f46b6
GuLoader
37812e3e7309cc0348c77208870cbeb44636a785dec26241fc6e392905edf91e
GuLoader
3b7dc89103d8c49eea88bd302c37e6b9c1f1ae13bdd38c9ff9709568b9f56e3b
GuLoader
42895dc552049d3cfd80ced83d8e2fbfc30adc3799e3748aa5f9e7df32373a58
GuLoader
4d4f1920e857285f7bb60473910ffabdd1cbbbb9140be18af0f226a247159546
GuLoader
9ebbeaf380d12e97972f57de2e052f1e043370d0be0bcd0deb3ebc5334cc68a2
GuLoader
a34a05f4fba031be97dcc4bb04e0e45a75d1034cd2d32177b26a65de7a1306a0
GuLoader
a5a17e29758a200bd8bd3805f5b1f292a236ee994274033ee1953ec7e9690db3
GuLoader
f6557b3412ca78e87ff38632aaf24732b74da646678fd6ea5f01134bb498fd14
GuLoader
+ 5'292 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-3lerwva9bn/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks QEMU agent state file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

rar 089ba205a3966767a087d8356926cb2ba4c7cde4c4dbfc84da165283cba38076

GuLoader

Executable exe da6fd7aeb4a04410109f9f170589fe5262a1922a7dabc5b7b26e0af00dcdaba3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/366045/
  
Dropped by
MD5 46791007543e567814d8467b30e56c60
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 089ba205a3966767a087d8356926cb2ba4c7cde4c4dbfc84da165283cba38076

Comments