MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 efecbafe7ddfe1306dac292dbd23be0caf62c5423a4c7a91086b0ca194a5e3ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: efecbafe7ddfe1306dac292dbd23be0caf62c5423a4c7a91086b0ca194a5e3ed
SHA3-384 hash: a7e0f7048bae8c639a6f3563e4329fab137ba6a39fc7771dda0d648a9f4d21d1e744b7f912d53280fcebdd2da669bb85
SHA1 hash: d82a8ce1fd0e00ec51097efca0c318548ab88fef
MD5 hash: be61c54a184aae9c434adc59dd3cbde6
humanhash: don-utah-sweet-washington
File name:RFQ MOLD6312701 2K Modification.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:73'728 bytes
First seen:2020-06-09 06:42:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8c73bb0be1e20577b20291a142a335cb (1 x GuLoader)
ssdeep 768:bVpu1aL3mNtlrHBOjoTLj8l/yitQFvZTHi6JjBlfTuFIrSzIjl9LqhUpeb:bvuRtS4jA/yit4Zria9lKLIh9LqG4
Threatray 5'103 similar samples on MalwareBazaar
TLSH C0739D136914C183E0500EF51C979EB81B5B7C684982AE8F7299AF5FE8353572DAF23C
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

From: "Klaessen, Jasper" <j.klaessen@vdlparree.nl>
Subject: Mold 6312701 2K Modification
Attachment: RFQ MOLD6312701 2K Modification.rar (contains "RFQ MOLD6312701 2K Modification.exe")

GuLoader payload URL:
https://djmixers.co/kcxbin_QlFdCwcYC87.bin

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/7259/
Gathering data
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-06-09 06:44:04 UTC
AV detection:
24 of 31 (77.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=57wlv7t537qta3nmfew32i56bsxwfrkchjghveiinmgkdfff4pwq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
1621dac1140afd3e3eed4b0f4ab0a93e81cd56c76e7532a0cc03d0b5a8dae04d
GuLoader
43a2a98bb50daedc36c6f08ab5698638de59f80ad30f9754b8ff690d90c088f3
GuLoader
4e0e1ee117544cc9cb6784d36db3d349624ef1c888267b1e266a03ddb17d33a1
GuLoader
620e100a8454a1fe2978e299f7b591c07589bf257bd2b1913c3b7ad601699e4b
GuLoader
688ac9fd686d48bc6fec56f27e814c48d7849f548ef14d763dd446b61140c388
GuLoader
6b307cbe4f1e8d769af95142d574e77a50654e25cce234f48da6c5e7a7aa4b99
GuLoader
9747bf43bd88474f148cdd3bd1a5a8ffa391c53ed7846e15fb5138190b73ecd8
GuLoader
afa8c23ac5d9fc6fbe15cd6baf1b64c40efd1c62c9ddefe88329d26551db32f2
GuLoader
d18ed67b05d0bbd6dfaba77a6053c92674bfef8abc8c7aae7c17f703adc6ea5c
GuLoader
ee4ae13d3fd3b58d86e270db11937476b4b7add1673983c2c28ed4d7dcc75552
GuLoader
+ 5'093 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-k2bwlm465j/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_vobfus_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

rar 39ff1f68771298e3afe716df875f9ca82e9e9f8d539d8a22e9d889cbf340368d

GuLoader

Executable exe efecbafe7ddfe1306dac292dbd23be0caf62c5423a4c7a91086b0ca194a5e3ed

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/378975/
  
Dropped by
MD5 828566ffebb0da1c4127cddf36cef349
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 39ff1f68771298e3afe716df875f9ca82e9e9f8d539d8a22e9d889cbf340368d
Cape
Cape
https://www.capesandbox.com/analysis/7259/

Comments