MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0cfb7bcb7fec9c1387f38ecd7ebb9456ff4a1d797d0edfb3b467ff9a7661d8ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0cfb7bcb7fec9c1387f38ecd7ebb9456ff4a1d797d0edfb3b467ff9a7661d8ed
SHA3-384 hash: c44d881a72bb523e8932bdb500b2e2094f0febdf7ca6659be8c899eb9d8263245fbae2c57fe2dfa31c5c99d560c6efbc
SHA1 hash: 7500e53fa48c0356a3e0f1067e25cf9e1ffc3ac0
MD5 hash: 22d8e679fb3d6a2fc740f4ea616b97cd
humanhash: hawaii-december-solar-mountain
File name:Purchase Order.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:73'728 bytes
First seen:2020-06-09 06:41:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5b4f2c239ba7c6badd8fe4e714e584c7 (1 x GuLoader)
ssdeep 1536:b6uRtSMc/6CEpJgGv9Zria1kqUYti5pTAHb:HS6T/PBRMqb
Threatray 790 similar samples on MalwareBazaar
TLSH EA738E03A908D663F15406B15CA78AB91F1B7C244E829E8F31C9AF5FD9363516CAB32D
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: server.vimsmail.com
Sending IP: 198.57.186.8
From: Angela <angela@texwelldone.com>
Reply-To: angela@texwelldone.com
Subject: Fwd: REQUEST FOR QUOTATION
Attachment: Purchase Order.zip (contains "Purchase Order.exe")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=1bG8yc_o-AM-F8_LsZPB79N1mq3YilFxt

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/7254/
Gathering data
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-06-09 03:06:02 UTC
AV detection:
23 of 31 (74.19%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bt5xxs375sobhb7tr3gx5o4uk37uuhlzpuhn7m5um77zu5tb3dwq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
1429990eae383b4fe77004519357e8844c118790f51a5f471c2cac517c07a4fe
GuLoader
26518576080145b7c37b414a3bc13dfcb80444748354ff81c29c1b185f626c00
GuLoader
34c9285a6b094968258fffe94cb3339c1715cbc6b8db1d309f7075eb0afda2d0
GuLoader
5f0c0c43a813132bc787e581c5456b0bbd3f4bb1947691b9636eec6236861f5c
GuLoader
93dc44981a771519cbdf592c8391ada5234cd2f6c19fc0bb4b3233867db9a345
GuLoader
aa82601b73b942480ec35f665f346890e2d2b51646b89b77a36efed5962527d7
GuLoader
cbf57cc719888dac0ce1630ed61752c1689e624174b8bf6c6e1130c2b897fb7e
GuLoader
d213c80671d27596824def5ecb513b07e2118bd110e1230ed68aa4daab49bcc6
GuLoader
efecbafe7ddfe1306dac292dbd23be0caf62c5423a4c7a91086b0ca194a5e3ed
GuLoader
f78f5eeea8bfec17ed985d71b265dd5be1bb90f781004a6a473e2e116abe144e
GuLoader
+ 780 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-8wphdg46ve/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_vobfus_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip 93f178cc71a3fb1b8a39532627791060960b85b9b00763f98dd06218f65d72d6

GuLoader

Executable exe 0cfb7bcb7fec9c1387f38ecd7ebb9456ff4a1d797d0edfb3b467ff9a7661d8ed

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/384280/
  
Dropped by
MD5 59f594ea05d60ac1f948584779f674a6
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/7254/
  
Dropped by
SHA256 93f178cc71a3fb1b8a39532627791060960b85b9b00763f98dd06218f65d72d6

Comments