MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e0020d5328b75c4078556d235042c3afad2b7402db2b7a375280ddf48636c5a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	e0020d5328b75c4078556d235042c3afad2b7402db2b7a375280ddf48636c5a1
SHA3-384 hash:	3c967fec36f8c6e2407551e19fa7275cd4923b0b2655e8b370364cc2bacf0a41aa500ac635f9506b34971b9a8c984a8a
SHA1 hash:	80fddec9849890d4eeceec628522718fe8fd3ddf
MD5 hash:	fe4bd8b2dde5e3cbd7d5b0d1cd7006bc
humanhash:	enemy-butter-fourteen-dakota
File name:	RFQ_HTYY-9595834594504585IMG.com
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	106'496 bytes
First seen:	2020-05-28 13:17:07 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2e5329692fb8d009dd53329ae6356d17 (9 x GuLoader)
ssdeep	1536:LNnpoEYVHmnbESdSujk9pNVJvv9NNHB84r7EkVN20wvpSp:ZnRbE6j4NVJvv9NNHBX7p
Threatray	663 similar samples on MalwareBazaar
TLSH	C4A30623AA90EB11D03045F039179B4D16ABBE3101C1894BB5DD2B9E3BB1DD2F96E34B
Reporter	abuse_ch
Tags:	com GuLoader

abuse_ch

Malspam distributing GuLoader:

HELO: bestrade.com.tr
Sending IP: 45.147.228.215
From: Hatice Merve <merve@bestrade.com.tr>
Subject: RE: Urgent Request Quotation(New Contqact)
Attachment: RFQ_HTYY-9595834594504585IMG.img (contains "RFQ_HTYY-9595834594504585IMG.com")

GuLoader payload URL:
https://onedrive.live.com/download?cid=5CF421933F23FF14&resid=5CF421933F23FF14%21106&authkey=AGGCQtZ8CeiYMMg

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/5865/

Detection(s):

SecuriteInfo.com.Gen.NN.ZevbaF.34122.gm0@a0CsBJlG.17078.UNOFFICIAL

Result

Threat name:

GuLoader

Detection:

malicious

Classification:

rans.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/363740

Behaviour

Behavior Graph:

n/a

Gathering data

Threat name:

Win32.Trojan.Kryptik

Status:

Malicious

First seen:

2020-05-28 12:18:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

15 of 31 (48.39%)

Threat level:

5/5

Verdict:

malicious

Label(s):

guloader

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-n731x7ddy6/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

img ef148c6e508eb599caa06ffc57a42916e16a9bfd9e1e5e3738292905f67a1598

GuLoader

exe e0020d5328b75c4078556d235042c3afad2b7402db2b7a375280ddf48636c5a1

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/370975/

Dropped by

MD5 290318cd40de95f5cf19babb91c96d0c

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 ef148c6e508eb599caa06ffc57a42916e16a9bfd9e1e5e3738292905f67a1598

Cape

https://www.capesandbox.com/analysis/5865/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample