MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec5b7c7c61e8282e08ca88732af9355470cf4c3ada79a3c25137fb16aa0c0b54. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 3

Intelligence 3 IOCs YARA File information Comments

SHA256 hash:	ec5b7c7c61e8282e08ca88732af9355470cf4c3ada79a3c25137fb16aa0c0b54
SHA3-384 hash:	40338e76028d922d955d03d55f4df9e8cde603e919ca717ef60dd45d39ed8c17fe5b2ee5a5f9e85d40bfee5af46afc87
SHA1 hash:	9c6b790f716c7311e4777e2389e220bc2698dbe8
MD5 hash:	863094f76f252f617a7d70fa5f39403b
humanhash:	east-minnesota-asparagus-king
File name:	Billing_Statement-163318040.pdf (2).exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	102'400 bytes
First seen:	2020-05-21 15:32:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	82c4419f54aa4f813386db9976b1d1af (1 x GuLoader)
ssdeep	768:MoSJPC0hi+Flj0LLZRBaha+wrkLLvNESrdqbdYvcqV5aeB4HfeYOaqsddE33xsEG:DqPT6LFq1AkLrNt5Yduda3EafwHxe
Threatray	5'360 similar samples on MalwareBazaar
TLSH	A1A31A21BAD0BD72C914CDF11D669B5821AFEC732A168E0B70DD7B9D2573A01E62231B
Reporter	abuse_ch
Tags:	exe GuLoader

abuse_ch

Malspam distributing GuLoader:

HELO: mxserver22-out7.masterweb.com
Sending IP: 103.25.223.216
From: Total Credit Management Services Ltd. <inquiry@totalcredit.hk>
Subject: Billing_Statement-163318040
Attachment: Billing_Statement-163318040.pdf .rar (contains "Billing_Statement-163318040.pdf (2).exe")

GuLoader payload URL:
https://lancastermed.net/tb_wtxemzP185.bin

Intelligence

File Origin

# of uploads :

1

# of downloads :

81

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Threat name:

Win32.Trojan.Injector

Status:

Malicious

First seen:

2020-05-21 11:56:12 UTC

File Type:

PE (Exe)

Extracted files:

6

AV detection:

22 of 31 (70.97%)

Threat level:

2/5

Verdict:

malicious

Label(s):

guloader

Similar samples:

02b10c6690bd0ed3e9b675553519df78a7ede63a398d68304043eacb691fd305

223bbe1af0d09289a1ebeddf78e3218fcae28d0a69c291d66fee5fa29337844a

322427854deccec94e7331e8d3faa9f2701289b8e2faac322889c5b04d6b8f5e

4dcaa189e4b595f7c2ea35bf30bcbee49f9f9c2a3bbe16d832a30c8df30c2a88

6f06cf7295e9301a4358854569f7d53dcf77319a94a76b45e60ebc72b88c2087

8606768cb758ba8379659f65220250ebc1c491dabd668e7f98663571419cadf2

923a8eab7773b5be5e3e380de1505a2c6c71f7b82329e9f3b3ff1461dc057610

9cbe5097d40713390439b736ac90f7ac008db11188a9b8d0ad40fec39d5cff12

a9933b87a7005503dc8cdaaa5c47c733e12bee1a65f8adfd9563805ea6aaac58

d720a410d804f04fbc099bc1cecbac2bdf37944a84662442fe98cd0945b59ade

+ 5'350 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-qwcwgscm2a/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks QEMU agent state file

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar 8b16f4e553f4e03dfd47f42fcb5ba9d19034ab6a42405a1f356b1bbac985a42a

exe ec5b7c7c61e8282e08ca88732af9355470cf4c3ada79a3c25137fb16aa0c0b54

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/366246/

Dropped by

MD5 4a16bedfac95c9047005494ad0629c9e

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 8b16f4e553f4e03dfd47f42fcb5ba9d19034ab6a42405a1f356b1bbac985a42a

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample