MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0b1dbd3162f501371ca4d99f39e0ad1631ab1d9698bf19bdd45163319fc0310b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0b1dbd3162f501371ca4d99f39e0ad1631ab1d9698bf19bdd45163319fc0310b
SHA3-384 hash: e0116f2d7029d5738e9e99af6d84dfd6e648dd27730a0a137f294d2dbbc0babbdb1bf5b8675678929734aac3eaab7503
SHA1 hash: e1594d15918bca308a39c13f66a13d18e9f6c776
MD5 hash: 1072af4cce0c15a89d9104eed3012624
humanhash: eight-nineteen-montana-potato
File name:Payment confirmation 1st installation SWIFT- 8987TT 55654399086.scr
Download: download sample
Signature GuLoader
Create hunting rule
File size:192'512 bytes
First seen:2020-05-28 06:30:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7bb67746e2d3be2ed36ad2854d48d0a4 (1 x GuLoader)
ssdeep 1536:byElZoMW6r1geoDagiUs4s4KuZvdx1pwUh1LWibin67WNtsDz5nCONgMgoC:uE0Mtr1mDa1AVLrigW+XC
Threatray 2'490 similar samples on MalwareBazaar
TLSH A5144A33BA6ADCA7DA890974DDD1C4F81871BC24D8138A3B71C0BF2E7579087A916736
Reporter abuse_ch
Tags:FormBook GuLoader NetWire nVpn RAT scr


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: biz2.con-fer.org
Sending IP: 95.214.9.110
From: SARICA Levent <contacts@con-fer.org>
Subject: Attn: sales Balance Payment first installation SWIFT 949950TT
Attachment: Payment confirmation 1st installation SWIFT- 8987TT 55654399086.zip (contains "Payment confirmation 1st installation SWIFT- 8987TT 55654399086.scr")

FormBook payload URL:
http://naturepack.cc/files/bin_ArPodh112.bin

NetWire RAT payload URL:
http://naturepack.cc/files/RTXN.exe

NetWire RAT C2:
185.244.29.175:7070

Hosted on nVpn:

% Information related to '185.244.29.0 - 185.244.29.255'

% Abuse contact for '185.244.29.0 - 185.244.29.255' is 'abuse@gerber-edv.net'

inetnum: 185.244.29.0 - 185.244.29.255
netname: GERBER-NETWORK
descr: Wonsan, Kangwon-do
descr: Choson Minjujuui Inmin Konghwaguk
country: KP
admin-c: GN5022-RIPE
tech-c: GN5022-RIPE
org: ORG-GN148-RIPE
status: SUB-ALLOCATED PA
mnt-by: GERBER-MNT
created: 2018-01-31T19:41:57Z
last-modified: 2020-04-06T22:16:40Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/5787/
Detection(s):
SecuriteInfo.com.ArtemisFCFB187C0130.14803.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-05-28 06:36:30 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
22 of 48 (45.83%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
guloader
Create hunting rule
Similar samples:
19307b5746bbedc1461d2fdde14bb9b61da5b76af0f2dff6295e05e9ea855f24
GuLoader
448379f1a0a59fa0a84180351e48559c9ed7ea6875cdd525782b714a77a2fff9
GuLoader
610ab1c6d1d8f59195b85cc6bfb496adb9e6ce8d2f4e6764b84eae8bb5ae2cc9
GuLoader
6a6153c0ed8295d63f23fae313939e61eb3f94cd61f7a34a22a6557318f032f1
GuLoader
7bcfd6304cf50881a7f42942fe80cdc0d26bd2f0934c6e2bc8df904a414fae4c
GuLoader
99b13841abbf0c2bf736ab08e0e7f48cd28cab2e69eff60399de65e0eced2e68
GuLoader
a8327d7e2395ea7fb71062275b3a7f24ce586d7ccd0301ed2a1df1699e2d9b9b
GuLoader
b69b9b6a6a6ddfcf0705b42fbf85f39534bef23b4a10a1b916ad105b6ac0ff62
GuLoader
cfad7f3408fcc08ca91d0e0fe624088c1c2fda17b460e17812c0362061124b18
GuLoader
fbfebf420c076687262aa7a863151825402349231fe15f6ea52e680f19b11cfb
GuLoader
+ 2'480 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-sm2axcp2rj/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Malicious_BAT_Strings
Create hunting rule
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:MAL_unspecified_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects unspecified malware sample
Reference:Internal Research
Rule name:netwire
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect netwire in memory
Reference:internal research
Rule name:Suspicious_BAT_Strings
Create hunting rule
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip eea878ddf832542b6a4265d632e73d2f43fe76b633acdc63fb3c20435d2ac199

GuLoader

Executable exe 0b1dbd3162f501371ca4d99f39e0ad1631ab1d9698bf19bdd45163319fc0310b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/364770/
  
Dropped by
MD5 2b195d8cb267104f12c5118f3e6870c0
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 eea878ddf832542b6a4265d632e73d2f43fe76b633acdc63fb3c20435d2ac199
Cape
Cape
https://www.capesandbox.com/analysis/5787/

Comments