MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 83e97420dbe39c6e29e2ae3dad80f21afe93d1b6ea88962a89762cd64772db41. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	83e97420dbe39c6e29e2ae3dad80f21afe93d1b6ea88962a89762cd64772db41
SHA3-384 hash:	b1a5e3e17b87a5e6d13331bb60837662dca09c5fe925ce5bb10fde2cfefd384b3a97ee942b3c6dd4620bb01093d818bb
SHA1 hash:	22b939539d18cc82e01b09008cd0b9a38a748b88
MD5 hash:	9e4140dc3bf64e7b02de1bd2149c75d1
humanhash:	white-nitrogen-steak-oxygen
File name:	Scan 562020 pdf.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	110'592 bytes
First seen:	2020-05-06 11:03:13 UTC
Last seen:	2020-05-06 13:42:55 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	e89fe7b6acb7c90544ec617af92b6410 (1 x GuLoader)
ssdeep	1536:iZ6Ud1ddZ3lTXEp+NebE097fOOM3TWVUy8bO:ikUD33zcEgpcTgUDa
Threatray	632 similar samples on MalwareBazaar
TLSH	8FB31C946AA0DC13E5597AB2EF84F15DE3A16C3968319A0332C1734A5F359C2EF2172F
Reporter	abuse_ch
Tags:	exe FormBook GuLoader

abuse_ch

Malspam distributing GuLoader:

HELO: sumo.com
Sending IP: 94.177.243.179
From: Esteban Forcat - Ferretería La Fragua SA de CV <esteban.forcat@lafragua.com.mx> <allan@colleen.ml>
Subject: Re: Beef and Squid MAX--NGM Order---19MS-407855 Lafruga fishco-gco
Attachment: Scan 562020 pdf.iso (contains "Scan 562020 pdf.exe")

GuLoader distributing FormBook

FormBook payload URL.
http://technotiempo.com/wp-content/themes/twentyfifteen/bin_XNjYuaWEr149.bin

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Threat name:

Win32.Trojan.Fareit

Status:

Malicious

First seen:

2020-05-06 10:48:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 31 (77.42%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=qpuxiig34oog4kpcvy623ahsdl7jhunw5kejmkujoywnmr3s3naq._file

Verdict:

malicious

Label(s):

guloader

Result

Malware family:

formbook

Score:

10/10

Tags:

persistence family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/201109-bm68la4y16/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Drops file in Program Files directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Adds Run key to start application

Checks QEMU agent state file

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.mafov.com/xs1/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

iso 4f0f09e0f2c73bfad2080a2e71c15777f002af3dd16643f041b050875afcfbb9

GuLoader

exe 83e97420dbe39c6e29e2ae3dad80f21afe93d1b6ea88962a89762cd64772db41

(this sample)

Dropped by

MD5 0283ac3a7ab3af5b000ebdfbf8176778

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 4f0f09e0f2c73bfad2080a2e71c15777f002af3dd16643f041b050875afcfbb9

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample