MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 96ffe97ffd555e8f1329ba24b40cba5320d5bc1ef51fb0155b9dea55bf842487. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 96ffe97ffd555e8f1329ba24b40cba5320d5bc1ef51fb0155b9dea55bf842487
SHA3-384 hash: b3901328d88650b607449758432daa24709d499c19746febf8333955727a732fc97c93f9edcf5f3018ca0bcdd5ad85ce
SHA1 hash: 34cf15e818d89b08412affbbc11036c43d04d607
MD5 hash: f9d17cae04b7906961c84a16d1021ae9
humanhash: massachusetts-william-blue-triple
File name:PO_#1578.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:81'920 bytes
First seen:2020-06-08 12:05:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8b52496373535bc9b574d4dd02329f6d (1 x GuLoader)
ssdeep 1536:zMysFY6TjMoQcw0goKK2DViDpNSquQWb65xvre5gnansEG:zxxuQoQcwntSNSqu65xvre5gnasE
Threatray 5'133 similar samples on MalwareBazaar
TLSH 4383AE237C45C942E06547F39CB39EA42726AC185802BDA73694BD9FDCF27C66CA523C
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: yuntong-batt.co
Sending IP: 111.90.141.203
From: Regina Gastone <regina.gastone@yuntong-batt.co>
Subject: RE: Purchase Order/Payment
Attachment: PO_1578.rar (contains "PO_#1578.exe")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=17wZY724BTYpAcG74ZVpGLSF09yTIEWlo

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/6998/
Detection(s):
SecuriteInfo.com.Variant.Razy.681846.16754.11177.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-06-08 10:31:00 UTC
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=s376s775kvpi6ezjxislidf2kmqnlpa66up3afk3txvflp4eesdq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
023ca25a18e7b6fe4c2346878ff4e688c011ef10900611f59689c4881f76579c
GuLoader
0f9158444d5e5387bfc619b035fbc31625cc933643f3eea063eca29cc33455ef
GuLoader
161ab2a24a2f0a71e1a50d1110b3ca25ec1a53c1412c2235db94a871bc3c9563
GuLoader
2909ff5bce8e72f2007455c778afbe46192919731b197e654e6e03f47cbe421f
GuLoader
538b5708c76c86e74b0bf54772daa9bda7c7bab48b5261541a3bf128714d8e68
GuLoader
65a02f6b451bb5ccf5d443b7976da84cb80812e24a909d1038423bfe5ac5e2b8
GuLoader
8b9bbca00335521a8fa45d5abf271ccf0eac27d70e44140355f7af671c3dbe7e
GuLoader
986db22a45f9c417139adb5a9fe1708dedc8b029a428e9db880b2cb7408c5d2d
GuLoader
d1e9ede488849faab5eb3e767704a4644cc79e6eaac8fe996d90fa164e68f620
GuLoader
e2e86de59b03cd68c6795d391938d75dac7fa0fe0d5bf497a075402686eba01d
GuLoader
+ 5'123 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-tl6d7qc5fn/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_vobfus_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

rar 90341b52ce50269f984793252168ea63a377aeba8aa60055b77ec81d18b5e43a

GuLoader

Executable exe 96ffe97ffd555e8f1329ba24b40cba5320d5bc1ef51fb0155b9dea55bf842487

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/383087/
  
Dropped by
MD5 7073363d121e3d49ceb3dca2d940027c
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/6998/
  
Dropped by
SHA256 90341b52ce50269f984793252168ea63a377aeba8aa60055b77ec81d18b5e43a

Comments