MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90a94255c2017221edd00cc99acd98a33e112e1182d9fd146d6a4ad9aa96921e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 90a94255c2017221edd00cc99acd98a33e112e1182d9fd146d6a4ad9aa96921e
SHA3-384 hash: afd107803c33aaab341d926c1af0b455762804c65ba1aa07c41f37f535326002fa9860849dcaf24425396eb2928ac669
SHA1 hash: e1c22e4bfaffe9772e81590b255f82824ca56a72
MD5 hash: 36f52d915df68631a4b713f15021c4d6
humanhash: sad-mountain-ohio-ceiling
File name:SecuriteInfo.com.Fareit-FST36F52D915DF6.4070
Download: download sample
Signature GuLoader
Create hunting rule
File size:126'976 bytes
First seen:2020-08-27 20:22:59 UTC
Last seen:2020-08-27 20:32:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 43809c72e09a392e704e0c341620c120 (1 x GuLoader)
ssdeep 3072:rfEcuDynEEXaT+jHotk3PV55hkXuzdHOM5gG:rscuDXGjIS3PV6UuM
Threatray 3'475 similar samples on MalwareBazaar
TLSH C8C38C076D4DC382E00109F17C638E6D3A27AA0C9C81AE7F6146AECFED752526DDA51F
Reporter SecuriteInfoCom
Tags:GuLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
239
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/51931/
Detection(s):
SecuriteInfo.com.Fareit-FST36F52D915DF6.4070.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Threat name:
FormBook GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/453024
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Creates autostart registry keys with suspicious values (likely registry only malware)
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 278883 Sample: SecuriteInfo.com.Fareit-FST... Startdate: 27/08/2020 Architecture: WINDOWS Score: 100 64 Malicious sample detected (through community Yara rule) 2->64 66 Antivirus / Scanner detection for submitted sample 2->66 68 Multi AV Scanner detection for submitted file 2->68 70 5 other signatures 2->70 12 SecuriteInfo.com.Fareit-FST36F52D915DF6.exe 1 2 2->12         started        15 wscript.exe 2->15         started        17 wscript.exe 2->17         started        process3 signatures4 108 Creates autostart registry keys with suspicious values (likely registry only malware) 12->108 110 Contains functionality to detect hardware virtualization (CPUID execution measurement) 12->110 112 Tries to detect Any.run 12->112 114 3 other signatures 12->114 19 SecuriteInfo.com.Fareit-FST36F52D915DF6.exe 4 12->19         started        23 Morningsu.exe 2 15->23         started        25 Morningsu.exe 2 17->25         started        process5 file6 54 C:\Users\user\AppData\Local\...\Morningsu.exe, PE32 19->54 dropped 56 C:\Users\user\AppData\Local\...\Morningsu.vbs, ASCII 19->56 dropped 72 Tries to detect Any.run 19->72 74 Hides threads from debuggers 19->74 27 Morningsu.exe 2 19->27         started        30 Morningsu.exe 7 23->30         started        33 Morningsu.exe 7 25->33         started        signatures7 process8 dnsIp9 90 Antivirus detection for dropped file 27->90 92 Multi AV Scanner detection for dropped file 27->92 94 Contains functionality to detect hardware virtualization (CPUID execution measurement) 27->94 96 Tries to detect virtualization through RDTSC time measurements 27->96 35 Morningsu.exe 7 27->35         started        60 wtstransit.com.sg 30->60 98 Modifies the context of a thread in another process (thread injection) 30->98 100 Tries to detect Any.run 30->100 102 Maps a DLL or memory area into another process 30->102 62 wtstransit.com.sg 33->62 104 Sample uses process hollowing technique 33->104 106 Hides threads from debuggers 33->106 signatures10 process11 dnsIp12 58 wtstransit.com.sg 172.67.203.253, 443, 49737, 49738 CLOUDFLARENETUS United States 35->58 76 Modifies the context of a thread in another process (thread injection) 35->76 78 Tries to detect Any.run 35->78 80 Maps a DLL or memory area into another process 35->80 82 2 other signatures 35->82 39 explorer.exe 35->39 injected signatures13 process14 process15 41 cmstp.exe 39->41         started        44 wscript.exe 39->44         started        46 autochk.exe 39->46         started        48 raserver.exe 39->48         started        signatures16 84 Modifies the context of a thread in another process (thread injection) 41->84 86 Maps a DLL or memory area into another process 41->86 88 Tries to detect virtualization through RDTSC time measurements 41->88 50 cmd.exe 41->50         started        process17 process18 52 conhost.exe 50->52         started       
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/90a94255c2017221edd00cc99acd98a33e112e1182d9fd146d6a4ad9aa96921e/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-08-27 20:24:08 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=scuuevocafzcd3oqbtezvtmyum7bclqrqlm72fdnnjfntkuwsipa._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
17ccd5b98d29f09cde5b49fee52602ac5e95c462c68f09c5f07d12d8a8cd8e0f
GuLoader
474cad642b1cf88f8d7f922cbfd9b8a00d7fc0eb40cafc0877007ee2884f105f
GuLoader
569b8cf6219a91161d48291f13285babe58b3be185623f3ec44c65c8369c2278
GuLoader
77839da1c15d6390080afe07320af399a007d5b69bf4fcdf63fc71e795929cf7
GuLoader
a574b201fa1b1b05d857cff48993efd19a3f700c55d6a7ea8ea9a1da30becb62
GuLoader
a63dfd81e0eb6283bc0051a3c1f80ba0eb818d132aafe5e6a1cc3cd63a3433ff
GuLoader
e13acda03eb4829793beb5c0664d5752663b7ef5ae72b63724e7eaf189a9fec4
GuLoader
e3e778591453a54d2cbd3ab1bb4ecb69ed94222f248aac24a95fb951fc6101f0
GuLoader
ef14e580eca50b75acae60fa7c6642fa89fc91ee8492f5193608937f4d78781b
GuLoader
f38d170b1da421aa60e778a64fec953d3058336f7cb06568ba7926495fe87f0c
GuLoader
+ 3'465 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/200827-7srfb4616e/
Behaviour
Suspicious use of SetWindowsHookEx
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eldorado
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/90a94255c2017221edd00cc99acd98a33e112e1182d9fd146d6a4ad9aa96921e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe 90a94255c2017221edd00cc99acd98a33e112e1182d9fd146d6a4ad9aa96921e

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/51931/
  
URLhaus
https://urlhaus.abuse.ch/url/445294/
  
Delivery method
Distributed via web download

Comments