MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 720004239ef0cb716b2f0d8793cfe7fb06d408cd5c598a6c726aab7f21c0bad0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	720004239ef0cb716b2f0d8793cfe7fb06d408cd5c598a6c726aab7f21c0bad0
SHA3-384 hash:	2f64fb178d8dc902d4a4bd5c22f8c3cc5bd9e8e9830a67ef02ab3f58a3d44cb99020397b4ccef4a67a248b9f64108669
SHA1 hash:	b30b7bf54a7872d6578cf185399fad94b8845789
MD5 hash:	754e8802e57da987ca7c137b0736727b
humanhash:	maine-missouri-white-five
File name:	Purchase Order.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	90'112 bytes
First seen:	2020-05-12 15:44:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	dfbb452d349eacc9448c66b50fca1aba (1 x GuLoader)
ssdeep	768:ZaAbThw006m8g2MFO7fX6zn55U8Yq9aMyuHux1cg/2RtEufXkhca7Di:0AbVw00F8g2MI7f6ncMyL1CthGi
Threatray	884 similar samples on MalwareBazaar
TLSH	EB93392276D4DE3AC61D4E715B2AB798094BFCB04D02894375C13F7E5BBAB12E82531B
Reporter	abuse_ch
Tags:	exe GuLoader

abuse_ch

Malspam distributing GuLoader:

HELO: tevapharm.com
Sending IP: 37.49.230.207
From: Ricardo <tevair@tevapharm.com>
Reply-To: onemilliondo@gmail.com
Subject: New Purchase Order from Teva Pharmaceuticals, Ltd.
Attachment: Purchase Order.zip (contains "Purchase Order.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Trojan.Fareit-7784794-0

Win.Dropper.Ursu-7784851-0

Gathering data

Threat name:

Win32.Trojan.Fareit

Status:

Malicious

First seen:

2020-05-11 23:29:25 UTC

AV detection:

25 of 31 (80.65%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=oiaaii466dfxc2zpbwdzht7h7mdnicgnlrmyu3dsnkvx6ioaxlia._file

Verdict:

malicious

Label(s):

guloader

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-trjrhymrmn/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks QEMU agent state file

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip 52c7c13d415b878581b28e0fb576e4397fd81d5b036ebe125521f4d1d94f04f3

GuLoader

exe 720004239ef0cb716b2f0d8793cfe7fb06d408cd5c598a6c726aab7f21c0bad0

(this sample)

Dropped by

MD5 d1e76273ccd8a7839fa4a2cdec869cda

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 52c7c13d415b878581b28e0fb576e4397fd81d5b036ebe125521f4d1d94f04f3

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample