MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ead90293cac15537e49f3d31cf728f03b045ea64942d667aa28f037ddd2e219. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 3

Intelligence 3 IOCs YARA File information Comments

SHA256 hash:	0ead90293cac15537e49f3d31cf728f03b045ea64942d667aa28f037ddd2e219
SHA3-384 hash:	5b0344a6f44e317b80496d6d76d695673018a0ed15ab29921c47eaf61b2715c80c60171ab2d5e07597ad16528f4e3d6e
SHA1 hash:	ef25abba278a72f686f8d7cfc4dfe9296d524c93
MD5 hash:	963bfbe055df7055ca9ad2517aba9d47
humanhash:	social-ceiling-louisiana-pluto
File name:	INVOICE AND BANK DETAILS.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	196'608 bytes
First seen:	2020-05-28 08:40:42 UTC
Last seen:	2020-05-28 10:54:09 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	5585809689ec9c2b132740fee2116ddf (1 x GuLoader)
ssdeep	1536:Zz3oWfapW9kmei4/8F91LVTexAZAmP9AAn7jkHbStIBRebeBG58A+CkDm8AWsKHj:9ZCpW93VTL6IFBahX586
Threatray	155 similar samples on MalwareBazaar
TLSH	5B145D327796CCE2DD4104F4E8D2C5F919A0BC14CD06CE2B7AC1BF2E35BA542996A736
Reporter	abuse_ch
Tags:	exe GuLoader

abuse_ch

Malspam distributing GuLoader:

HELO: imetsrl.com
Sending IP: 142.11.244.72
From: Massimo Ciompi - I.M.E.T <mciompi@imetsrl.com>
Reply-To: Massimo Ciompi - I.M.E.T <mciompi@imetsrl.com>
Subject: RE: INVOICE AND BANK DETAILS
Attachment: INVOICE AND BANK DETAILS.zip (contains "INVOICE AND BANK DETAILS.exe")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=1P9WbHExzGZLrIS4o6Wry38Lr7jT-a0R6

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/5145/

Detection(s):

Win.Dropper.Noon-7585277-0

Gathering data

Threat name:

Win32.Trojan.Fareit

Status:

Malicious

First seen:

2020-05-28 09:36:05 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 31 (61.29%)

Threat level:

5/5

Verdict:

malicious

Label(s):

guloader

Result

Malware family:

n/a

Score:

6/10

Tags:

persistence

Link:

https://tria.ge/reports/201109-z11mvkq8rn/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip 76ce765b6bc53bc126f5fe004dab8dd8b99f82e9ce2b4e29b310f5987310c20d

GuLoader

exe 0ead90293cac15537e49f3d31cf728f03b045ea64942d667aa28f037ddd2e219

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/370384/

Dropped by

MD5 c49de62195e8e0f4e55dc27cb46ab439

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 76ce765b6bc53bc126f5fe004dab8dd8b99f82e9ce2b4e29b310f5987310c20d

Cape

https://www.capesandbox.com/analysis/5145/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample