MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4888f20f69768fe2eceaab071e1866782db2076b0321e28b72cdf454d6385c35. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4888f20f69768fe2eceaab071e1866782db2076b0321e28b72cdf454d6385c35
SHA3-384 hash: b38b1373e6d3ccb0d3edf2afeee7a050c189d43a12ac17dc2628e56262a32baf6960185cb923ef37dcc9f02f6b357238
SHA1 hash: 1fdd4651718b08e63fc22d2f115d375da012c486
MD5 hash: 4a1a441597fc3b50aab57aa48f17d17d
humanhash: freddie-potato-red-neptune
File name:4a1a441597fc3b50aab57aa48f17d17d.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:180'224 bytes
First seen:2020-06-10 18:56:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 907c347b3bf3e931014a9faed830c76f (2 x GuLoader)
ssdeep 1536:ptJuRtS3g0i9T/Zria/wyoPx/TkSqa3Q4S8eqHp:ptsIZi9T0yoPx/DrF5eA
Threatray 1'255 similar samples on MalwareBazaar
TLSH C804F4C27D40D001F45537B02D2E89EC16266CA7F8932BCF25FCBA6E79366C2586532E
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
GuLoader payload URL:
http://188.165.89.80/office_eDsgFpDI47.bin

Intelligence

File Origin
# of uploads :
1
# of downloads :
154
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/7670/
Gathering data
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-06-08 20:43:17 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jceped3jo2h6f3hkvmdr4gdgpaw3eb3lamq6fc3szx2fjvrylq2q._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
006bb451c7207fa375e67a1684a97136a46beea1ff74e193eb4bbf6665a0ec9b
GuLoader
1262d63aabec1fe6b68df348419485b7bbe4fecec2bac3cdcc4fe42b12d24d96
GuLoader
12bae6b2d092fc8c776ea509d90b393df8e8f336214bb155f7e2d7f18beb4cb1
GuLoader
13393c26e42a0d09bbd796f3f9b5109dc0d2e7ff7bd7f4aac0aa0c879c5c123c
GuLoader
a570592bf5a21c1f55712fcec60a0536fedabe28b409d9a48fdc499185e154ff
GuLoader
bc0a3976025579d4a076226c8b5b237e81eb42b558ce68855694c5963722acbd
GuLoader
cf6542bb87d706ab7d6fd3f7fa0a2594d3b0ed8a9d15b481252d0c405ecd36ef
GuLoader
d9ea7ed19010ef0c36ebd05d5abfd5624e21a33ad5e18ca36007671d86eba8b3
GuLoader
dbfdd9906827edada6d6bb63194a7b952f6e5f7592f59f2a9b7ff0dbe9dd01c0
GuLoader
dd7268284b041dafef56b6a8a4b565b3a0c54e1eaacc68121a1688e03798e72d
GuLoader
+ 1'245 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-1ebrdj3g3s/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_vobfus_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
URLhaus
https://urlhaus.abuse.ch/url/385912/
Cape
Cape
https://www.capesandbox.com/analysis/7670/

Comments