MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ea7c45996858960ac08d2362470f439e40f3b40f768db40cc8263ada70a8bf4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	2ea7c45996858960ac08d2362470f439e40f3b40f768db40cc8263ada70a8bf4
SHA3-384 hash:	b69e40f5ee95c03d8c147dd01ba1b00dfdde69fe6ee3dd13425ae9426af337d27480fec6287cadf38ba79739e0e2a09f
SHA1 hash:	1f275b3e509aa4d71900373dd074a6d07e4d1311
MD5 hash:	3c8d8ba00b7c637e98462a991b01e7f1
humanhash:	video-tango-mountain-gee
File name:	PrePayment_Slip_Hgz_Bestsino_ImpExp_Co_pdf.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	94'208 bytes
First seen:	2020-06-02 11:18:05 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	58a4de27adb0e62e2e6ee2d29bb4cfb7 (1 x GuLoader)
ssdeep	1536:HNFO8lLyobeCN7lIFaBirr86LzwK9w4Ha/TG1/qFw:dbeCvIFam8Mzwm1R
Threatray	1'021 similar samples on MalwareBazaar
TLSH	979318437AD44601F1B24B706EBB82996B25FC2949439A0F350D2E4BBB317569D6C33F
Reporter	abuse_ch
Tags:	exe GuLoader

abuse_ch

Malspam distributing GuLoader:

HELO: kolo.com
Sending IP: 173.82.154.164
From: victor.lee@bestsino.com.cn
Subject: Hangzhou Bestino May Order Pre-Paymnet (USD55,827.17)
Attachment: PrePayment_Slip_Hgz_Bestsino_ImpExp_Co_pdf.gz (contains "PrePayment_Slip_Hgz_Bestsino_ImpExp_Co_pdf.exe")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=1keZJ7uo0eS222SPLWcHAZGbnxDN6PELJ

Intelligence

File Origin

# of uploads :

1

# of downloads :

72

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/6089/

Gathering data

Threat name:

Win32.Trojan.Fareit

Status:

Malicious

First seen:

2020-06-02 07:54:40 UTC

AV detection:

19 of 31 (61.29%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=f2t4iwmwqwewblai2i3ci4huhhsa6o2a65unwqgmqjr23jykrp2a._file

Verdict:

malicious

Label(s):

guloader

Similar samples:

474cad642b1cf88f8d7f922cbfd9b8a00d7fc0eb40cafc0877007ee2884f105f

4c83cd741a7210492c0146135bd247c08aac84ce75b26e520c1e74f806d71452

6604738347de31acf8c045750f89e3f8e1bf57e29007dbc0fd7e21fb4d7e9aa3

72eb2dc730e3574dcb204d37fcfb35cf91bacd8087d6028d743cb0992c874244

96ffe97ffd555e8f1329ba24b40cba5320d5bc1ef51fb0155b9dea55bf842487

b022be4adc35569368e23da7b344c4f9a4ce9efffaf1013d1fc778cb2b58f67f

c1ccf8689de88be32890345e454df2f1fa90e1e4033c0f63425001af42f7aef5

c1ffff1b0912fbb00db8b8eb08b6c181a924a31cd806257604980be2d371092c

cebf765590be725ca5f5589e51a0e81236f6e63dae47f1cdff6029429827c0be

d338c91a6111887ddef85d7dbc68f85116b4401a82abd358dbff96274b9c5435

+ 1'011 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-mq377qtfhs/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip bcb0edf833c7f0e4408505be098288ec9706f4abe6a89ad399d1a361d6bf12a9

exe 2ea7c45996858960ac08d2362470f439e40f3b40f768db40cc8263ada70a8bf4

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/374181/

Dropped by

MD5 369d6a8d6235fdbd7183dd2df9951f31

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 bcb0edf833c7f0e4408505be098288ec9706f4abe6a89ad399d1a361d6bf12a9

Cape

Cape

https://www.capesandbox.com/analysis/6089/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample