MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 91317bfa0133687ff1ed62c9f259ffd823a8e64efa34ab6c98ab4e748b497029. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 3

Intelligence 3 IOCs YARA File information Comments

SHA256 hash:	91317bfa0133687ff1ed62c9f259ffd823a8e64efa34ab6c98ab4e748b497029
SHA3-384 hash:	e091344378c4f5918f9d4377935bd2f9c932c7a6de3c8f51031c5c7668b88a5043eb186dc675621da24253ad35ba7193
SHA1 hash:	59c5de8e8e75bbb2a357fb7884dc7503e38df7f2
MD5 hash:	63008a21a92c874863b5fe6b9850a2da
humanhash:	alpha-eight-colorado-montana
File name:	ID547-MSC-202041789BL DRAFT.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	192'512 bytes
First seen:	2020-05-28 07:22:26 UTC
Last seen:	2020-05-28 08:22:34 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	93cfe9facdce13b1f81174b8847db668 (1 x GuLoader)
ssdeep	1536:aRrt72aSxIA2Quq+VjNcFdGhLpu1yK4UZMjXEifuB0c3J4XTXHfywTyOa7MBfT:2rtSa2pLL+VOFJMjXEgpjXnP
Threatray	1'643 similar samples on MalwareBazaar
TLSH	48145B26F652CCE1CE9049B0D8D6C5F45521BC16E83B4A637AC07F6F723A193AA61336
Reporter	abuse_ch
Tags:	exe GuLoader

abuse_ch

Malspam distributing GuLoader:

HELO: merbabu.asiakom.net
Sending IP: 202.51.253.120
From: ID547-MSC IDJKT IMPORT INVOICE <ID547-id.systemautomail@msc.com>
Subject: Notice of Arrival for MSC B/L :MEDUG3735396/MSC CARLA 3/HC009A PACKING LIST
Attachment: ID547-MSC-202041789BL DRAFT.gz (contains "ID547-MSC-202041789BL DRAFT.exe")

GuLoader payload URL:
https://kinansreview.com/build_NEW_gLpjIcLUO232.bin
https://cmdtech.com.vn/build_NEW_gLpjIcLUO232.bin

Intelligence

File Origin

# of uploads :

2

# of downloads :

80

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/5813/

Detection(s):

SecuriteInfo.com.Win32.Injector.EMDX.28038.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Fareit

Status:

Malicious

First seen:

2020-05-28 03:56:11 UTC

File Type:

PE (Exe)

Extracted files:

6

AV detection:

16 of 31 (51.61%)

Threat level:

5/5

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

guloader

Similar samples:

4b610516f134b6efb2100a2e298a70b573be1cd6c4d653af007b907f11ff065e

5a30aa9032bf9eb86209f176404481e70fa108b689330a2544ce0b54fa959ab4

6ba2ab2afade3c48fb86ce5290a0980f19e901117033cb723cfd48b3ab2c6888

8b791216101006bea031bc4ff657001f95cd58ed1db4429a242d79050f947d40

983a50787533f7fb48c7aeccfe0cc8ea3b16a76a39b22a1668ef800ed56556f6

ae6a500ab45e86279c34a92c49d12f73716f0a492075180cdad48a761bf38b49

b666f8a605a45edebf5a3980675d00b84343a9b3c7a6d00fb90c37f40b55ac57

cebf765590be725ca5f5589e51a0e81236f6e63dae47f1cdff6029429827c0be

eec46d65be09a86f25c891d462671a7a0b3140ee4a8a6ac0a9fa7e1c56a8cb40

f6acfb0076b3a4e817b12f1f4e91eb89dbeeee1bca29d591949b73dfb604ef68

+ 1'633 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-vp1v4sktdx/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

gz 0e3a8546773cbaeb38ff464d2b831e4ef4f386d675dcb1e35867bb114d8b31c5

exe 91317bfa0133687ff1ed62c9f259ffd823a8e64efa34ab6c98ab4e748b497029

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/369924/

Dropped by

MD5 2bfbe9e0c34220bc7f94491d019af9db

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 0e3a8546773cbaeb38ff464d2b831e4ef4f386d675dcb1e35867bb114d8b31c5

Cape

Cape

https://www.capesandbox.com/analysis/5813/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample