MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff1ec030f3f335af02cee82946ea04380dd4b5dd56f9d9494b201790710d051f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff1ec030f3f335af02cee82946ea04380dd4b5dd56f9d9494b201790710d051f
SHA3-384 hash: 1a4e376e108a86d21e22796fb9b12db492231d3b5593fd410da70ada95c3a06e2d1ded771fd150c00f59150a62e6c26a
SHA1 hash: 12549952d0dc074f68fafbba0f1a578d54ed9c10
MD5 hash: c129da99b0bff11d9fc4617b9e072d74
humanhash: minnesota-nitrogen-missouri-mike
File name:Order#33925_pdf.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:110'592 bytes
First seen:2020-05-26 07:39:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e0dcc55003fdee4a0b9d4ab255c844ad (1 x GuLoader)
ssdeep 1536:vP8Ob/u9JgR+wosDdEffb9ad+qqyNLphNlCmwCUkqYmlyP8TZ:vUO69qRFosDd6Bad+Kp0mwCUkqYw
Threatray 110 similar samples on MalwareBazaar
TLSH 57B3D7027AE4FCA2EC015EF11FD1AEA60E66BD342C618F03B45B778D253A1E51FA1719
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: mail-m24148.qiye.163.com
Sending IP: 220.194.24.148
From: Purchase department <hlsong@deburringchina.com>
Subject: New order-(Top Urgent.)
Attachment: Order33925_pdf.zip (contains "Order#33925_pdf.exe")

GuLoader payload URLs:
http://keno-eneryg.com/mmddy/OriginBinyikoto_FJGLobKtZ240.bin
http://legalpros.lawyer/mmdy/OriginBinyikoto_FJGLobKtZ240.bin

Intelligence

File Origin
# of uploads :
1
# of downloads :
68
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/5638/
Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-26 08:52:48 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
20 of 31 (64.52%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
10481c8ab9d363251e4d1aab4805df6d245621a5f10302fe5ed8cdd9f20bdc14
GuLoader
11124347d4a19a4f709bb4ebb2f9c12873f4f079ef3d5e60e18fa9a975302c70
GuLoader
1cd2e3b696656354859e0ffdb5bca866fadf42f59c9e2da1c228e0b52fa5f368
GuLoader
443bc33e9d28fddd4229367cde23085b8d57549093ce8e991eb4753ce58c85fe
GuLoader
b022be4adc35569368e23da7b344c4f9a4ce9efffaf1013d1fc778cb2b58f67f
GuLoader
b9faefd420a9117fddd3bdc6c42bc5c5d07d0cec65fdc7acb2d715b752b44967
GuLoader
dda25996ab5b78fa63ab71aa304360374fe2eb6ded670c778b2c69d9fa1f1e40
GuLoader
e013766345fe3fc36669625205e1088b24b4c9cd5b42696cdcf3cd31d76c8a35
GuLoader
ef8f03a25087eeab581d8439a0a19ba7148270d2210d479c1d6867fac69dc813
GuLoader
f5f2578101553a0f24cbeb4f1691d37232f62d4e5986886116e2939272555844
GuLoader
+ 100 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/201109-t1drbq6v62/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks QEMU agent state file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip ace549f667f81d85d67efb0c30ce2ffa8c7db9bb0ad1e183cd3e2e3feedd1575

GuLoader

Executable exe ff1ec030f3f335af02cee82946ea04380dd4b5dd56f9d9494b201790710d051f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/368635/
  
Dropped by
MD5 3cd460782b75da0fa4275e948610da49
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 ace549f667f81d85d67efb0c30ce2ffa8c7db9bb0ad1e183cd3e2e3feedd1575
Cape
Cape
https://www.capesandbox.com/analysis/5638/

Comments