MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 24ebf6b9c1e61b3bdf58d0678683a8cae05860849a4d8b58a089af47a5ef67f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 24ebf6b9c1e61b3bdf58d0678683a8cae05860849a4d8b58a089af47a5ef67f7
SHA3-384 hash: a633741c2f84581d22abe20d063328a6a65d2d8791de0fa92a7cac4f8a7f0d93b1c0beb6ccd7b0a9b743d9a589995a7f
SHA1 hash: a12b90ffc726fca14e4239bf91a4efe009541ee2
MD5 hash: a071fd958333490e698eb4a98b9e6aef
humanhash: may-grey-hamper-bulldog
File name:TNT Original Invoice.scr
Download: download sample
Signature GuLoader
Create hunting rule
File size:77'824 bytes
First seen:2020-06-08 05:02:26 UTC
Last seen:2020-06-08 06:24:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8f9494edf60f83cde12fb291323eb91c (1 x GuLoader)
ssdeep 768:CysfNpuRnnPilTjATMIWKgMFN+LMciOLqQpTkRXQJtEWx4Be3KOluygzrgSwIZFC:CysFY6TjMdOmYvL7p0goKKpyCO
Threatray 1'001 similar samples on MalwareBazaar
TLSH 8773AF03AC08E9A3F04086F16D938AE5671B5D2A6E025AD77B592FDFEC306C25DF121D
Reporter jarumlus
Tags:GuLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/6953/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.43300927.11829.15707.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-06-08 01:06:14 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=etv7noob4yntxx2y2btyna5izlqfqyeetjgywwfargxupjppm73q._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
150399bdd91521ff244c8c83aa0ebede3560304bcd38a0fd21a189fa34b605da
GuLoader
15187de4f29194c60f3f199549c345592e967ee8ecf9a39b0a40c1796fdb222c
GuLoader
17f52dbf63e20cb471e6da579551830186446d814a14162ec3569c62fb6f0771
GuLoader
4e49f5147939257640ba4990f520c9dbe355c83b73d9deadfc8505c4a09f931d
GuLoader
511e0187a9180a083947a3bb3de77215fd37b0cae921181dee572bf537d2bea9
GuLoader
6535df8dcbd659939c18a93ee2b58e8ef05898e1baa30932cf3cfa876659d183
GuLoader
799d1f1babff3cbb4d32af69d12948ff5de47016063eea48756323516ed96337
GuLoader
877f342fa777bd70c1308b545ddaff6e70d9a8840c819713e34fcef56e736630
GuLoader
c42ae355f2541ec7be30e51b1fcb50a1c7d8b0d6afa717dab533369cb5a69011
GuLoader
e265bbf3f727ff892423b3e24b5368ab4f694c86334bf68ae62ff20dfd7ce5b6
GuLoader
+ 991 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-dxfgskzlf6/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_vobfus_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

ace 0a19acf0507780f91c3ec992408b393178698e8c07828caac5a0348e186c05c2

GuLoader

Executable exe 24ebf6b9c1e61b3bdf58d0678683a8cae05860849a4d8b58a089af47a5ef67f7

(this sample)

  
Dropped by
MD5 a9d6a3d906de1f304dbe74a5373a2fcc
  
Dropped by
SHA256 0a19acf0507780f91c3ec992408b393178698e8c07828caac5a0348e186c05c2
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/6953/

Comments