MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 996d663495ef1d96ee9fca68c07a4173910824b4956214edd0af1c53501608d7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 996d663495ef1d96ee9fca68c07a4173910824b4956214edd0af1c53501608d7
SHA3-384 hash: d955503c1d6d31cf9a8e3872b578fb509f95579f822049a9e67b1669f19ed2b38abe89bb4c86db8f50810177ee02a7f8
SHA1 hash: 16a91460712aed481b5d92cbe11db2bd97436997
MD5 hash: c71e580ff7b78d2eac4be49a3872cc38
humanhash: grey-hawaii-april-oven
File name:ACCOUNTS SWIFT COPY PDF.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:86'016 bytes
First seen:2020-06-08 14:48:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5c97acbb1fe9f6d954d9d56b9aa33c5c (1 x GuLoader)
ssdeep 768:qnsu1aL3mNtlrHBOj1M1GBqWJgvBlwZTHi6Jbo2vDLaPNY62s5p1xLXZJJkw:ysuRtSu1QsWZriabHHaq62s5p1xLXZj
Threatray 1'002 similar samples on MalwareBazaar
TLSH 6C839E1B7A15C912E20406B02CF3DE292B73BD1548426F4BB285BD4FE8BD7427CB662D
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: WIN-19RHAIQ62L3
Sending IP: 180.214.239.204
From: Accounts <admin@genobose.cf>
Reply-To: kimhilary164ever@gmail.com
Subject: RE: Final Swiftcopy $40,700
Attachment: ACCOUNTS SWIFT COPY PDF.iso (contains "ACCOUNTS SWIFT COPY PDF.exe")

GuLoader payload URL:
https://www.wewilltransportit.com/bin_0.bin

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/7078/
Gathering data
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-06-08 14:50:10 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tfwwmnev54ozn3u7zjuma6sbooiqqjfusvrbj3oqv4ofguawbdlq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
0c69b80c225b95161ab357d6a35bf54846167a38bea69de84371c283ffcd0a8c
GuLoader
2ffbb987622b48ac9e1b3a53291f9af5a3949ba14019d43756a8219f66af0a86
GuLoader
494d5e5f87c9552bce9a4c255ab358cabb144982fca06703255e0ec791626865
GuLoader
7dc9d4200ada4d75e50d7c4ed86eef952334e4bb69da0464122682e7aff8d971
GuLoader
869df63edd9b9c96960da5d8022b1194c9f16b4a1f0b9ebfc7860e1aa2fe41a2
GuLoader
88dfd10d3d3b459c8284f0c64b88786c5770eb2b75436be9951ad1117c1b6a0f
GuLoader
b189f4b81e32c2be2c252d6f6ba160bf8566aa74be9642af4af5e3b424be54ca
GuLoader
de5da2008e231c60a227d6700248953651e0242542f07027e400760283b91d42
GuLoader
fc69637262c3ccd722552ece430c078195f3999934cccabdb2fcf0a6e2fe9446
GuLoader
fde85b3d5e4784dcef4c245c1db1ee0bb5d496fe4de8548594f569964715d515
GuLoader
+ 992 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-vlzzw4e3tj/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_vobfus_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

iso 81254ec12347967deb4e7035cb7e28fe1495a9ef705598a7a1abb4821c84e3c9

GuLoader

Executable exe 996d663495ef1d96ee9fca68c07a4173910824b4956214edd0af1c53501608d7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/383214/
  
Dropped by
MD5 6c9a5df88bfe3bd66608e1958dff2b66
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 81254ec12347967deb4e7035cb7e28fe1495a9ef705598a7a1abb4821c84e3c9
Cape
Cape
https://www.capesandbox.com/analysis/7078/

Comments