MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e73f4dbd13dd1cf8475bab8fae351b8a05507e429bd3b3700fca13dc764d66a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	8e73f4dbd13dd1cf8475bab8fae351b8a05507e429bd3b3700fca13dc764d66a
SHA3-384 hash:	2d39465f7a3adb3f6d36a149bca38dc6618f06e67a64afdd4ca690e4cefd998a6f043e5ae25cd151de187dbbf0e7cdd1
SHA1 hash:	074a55120f39816e6fa4717e448b914ca5d784fc
MD5 hash:	769d2eee917ce8d0421e82f7d49c84b0
humanhash:	cardinal-alaska-missouri-magazine
File name:	New purchase order for nazir_06082020_pdf.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	81'920 bytes
First seen:	2020-06-08 12:09:44 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fad5c03f9151eb97bbc6bd4cc70b37ef (1 x GuLoader)
ssdeep	768:fu1aL3mNtlrHBOjKpmPiies0nAMuZTHi6JYFnFudX7eoD6BxsmmNUzWrVF3F:fuRtSimohAMuZriaaudXqdxsmmSAV
Threatray	2'106 similar samples on MalwareBazaar
TLSH	7583AF136D68C502E25607702CA3AEFA2B95BC294C413F0F2549BF9BD875B51ACB633D
Reporter	abuse_ch
Tags:	exe GuLoader

abuse_ch

Malspam distributing GuLoader:

HELO: s1.smallhost.in
Sending IP: 103.46.239.70
From: Nazir & Sons Co. (Turkey) <rubab.s@nazirandsons.com>
Subject: NEW PURCHASE ORDER FOR NAZIR
Attachment: New purchase order for nazir_06082020_pdf.arj (contains "New purchase order for nazir_06082020_pdf.exe")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=1gS2KOsl52ZF87CbrpWTPmO-nhDf_Fjip

Intelligence

File Origin

# of uploads :

1

# of downloads :

83

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/7007/

Detection(s):

SecuriteInfo.com.CLASSIC.143.UNOFFICIAL

Gathering data

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2020-06-08 12:11:07 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=rzz7jw6rhxi47bdvxk4pvy2rxcqfkb7efg6twnya7sqt3r3e2zva._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

guloader

Similar samples:

20b3c1c5495ed7389cb63dfe6f990c7acd72edd8a6e385cbe698702647d44649

23eb70abd818d93364ae2f896425d05fd38788c54429f874fabade1671b267b6

890d50ea38e546ea886c5e1d211327e2d4573f3a55f1afc56eacc36ed2187474

89e54f19c04bb28c90f0ee75419a149c8178f9841435a20be727506d0c9506d3

bf6d2e90c5fd6b327f1e513402eb01491ac8487b682243450ad684de5e6e62d4

d05800ab82af8100fbb6ee66729de2aa580f8acde780df49ef14b4213f316e87

dfe66d2e7938bed4e4452f82519a8b02d0ac89e74341a4abee8b2ec1c6a7ffb6

e01f7d5f5a34bc9fde408c3f3fb441b76b6a2c3e2915cbf98ac5ca84e61e2b5d

e09fbb76c70deb9d0d2b2eb99f4d179783e54fc42440c8e478ee834457982f9e

fe7a6728da6e544a5963774daa1bae063246a1211a815abdb736ea7a31d7bd30

+ 2'096 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-7gelsrlvss/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip e9a9ab18a2cedc4bdf9f8c96bc0277fd05b49d0d66cafdc181456a599cf903ca

exe 8e73f4dbd13dd1cf8475bab8fae351b8a05507e429bd3b3700fca13dc764d66a

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/383145/

Dropped by

MD5 beb70c0dd55dd4327d561fe4f22d72ef

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 e9a9ab18a2cedc4bdf9f8c96bc0277fd05b49d0d66cafdc181456a599cf903ca

Cape

Cape

https://www.capesandbox.com/analysis/7007/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample