MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ff7a063a7cb0d3253dbbe024a560b86c267b2a6e3a4d355f993e0e4361b6450. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0ff7a063a7cb0d3253dbbe024a560b86c267b2a6e3a4d355f993e0e4361b6450
SHA3-384 hash: e6cd5628282f0d9e380fc761abdc87660357b2e81e28111ad8e0d55314b92c7bfd7066ccb153bf5fb2e31a2fc9a9f64d
SHA1 hash: 2ac3f890fe11358fdf5f1a5191eaf8a7cb226f34
MD5 hash: 3cad4a9f92bdcf2da8a9f471457b1169
humanhash: item-orange-kentucky-lemon
File name:anisalsupercu.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:65'536 bytes
First seen:2020-06-10 06:51:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9d9bb0f529aacbc65c1048b9a9ed864d (1 x GuLoader)
ssdeep 768:bL3GMjJvbviB3eCoiKGccP6ztOHQDuimJn3ds60hdOP19Z5kaqDSRMT6pQJ:bLG0GuzGccP6JMQFmhWdOh5LQJ
Threatray 1'027 similar samples on MalwareBazaar
TLSH 38534A4B6E0CD953E06087B02D3291A52719BC285901BF5B7E4C7F6DEB31682BDD331A
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: loft11155.serverprofi24.com
Sending IP: 188.138.57.207
From: Katia Jamieson <katia.jamieson@faber-castell.com.pe>
Subject: NEW ORDER_Faber-castell
Attachment: NEW ORDER_0024091.ARJ (contains "anisalsupercu.exe")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=115ym8Wl6M_jzLJIwzT-6p9OidXfQDvL3

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/7474/
Detection(s):
Win.Malware.Malwarex-8014471-0
Create hunting rule

Win.Malware.Malwarex-8014474-0
Create hunting rule

Gathering data
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-06-10 06:53:05 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=b732ay5hzmgteu63xybeuvqlq3bgpmvg4osngvpzspqoinq3mria._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
17ccd5b98d29f09cde5b49fee52602ac5e95c462c68f09c5f07d12d8a8cd8e0f
GuLoader
23cfbb0bf1e110a79678f45c29897e6090b660d3df420bbb916fc3f1bc12eead
GuLoader
268953af63bad4895dd06c024fd1ec2af2c134623a0e100e26894e4d6bab741e
GuLoader
352837f7f48c65bab461ad1a4b907226f08604cf13390f8e187daf08e0da7aa5
GuLoader
6269fd417f93e7c0d7cab576b35dc3b6f6a58c0f04e75533bad84987c228f0e6
GuLoader
6604738347de31acf8c045750f89e3f8e1bf57e29007dbc0fd7e21fb4d7e9aa3
GuLoader
75fa551eec71d6d8b9817266813715c2bbb7a537005587f9f1e0d058a05febc6
GuLoader
96ffe97ffd555e8f1329ba24b40cba5320d5bc1ef51fb0155b9dea55bf842487
GuLoader
b022be4adc35569368e23da7b344c4f9a4ce9efffaf1013d1fc778cb2b58f67f
GuLoader
e7d2deba4fccbea79ffa209ebe0ce49f98aecfb340c8d6ec3ea1773cb12cb07e
GuLoader
+ 1'017 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-94t2zx6byn/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_vobfus_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

arj fd54325fba167e3c60263a5171662a04014f73b66251119b82c16d01b2ed7d4e

GuLoader

Executable exe 0ff7a063a7cb0d3253dbbe024a560b86c267b2a6e3a4d355f993e0e4361b6450

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/385251/
  
Dropped by
MD5 69454713b8e55196191faa9cbf190686
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 fd54325fba167e3c60263a5171662a04014f73b66251119b82c16d01b2ed7d4e
Cape
Cape
https://www.capesandbox.com/analysis/7474/

Comments