MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bee2e75a7187b8d59c62e37425a14998512cdc6d5cf0023151ad071f0750f4c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	bee2e75a7187b8d59c62e37425a14998512cdc6d5cf0023151ad071f0750f4c7
SHA3-384 hash:	5128466242372f59f48d94dfea882c80d9197201217a7fe191407aacc1638ec47de59154e6999d0c9b4e53d641958e4d
SHA1 hash:	b7005118fadc1be4b563815c3f674f731d90fd1c
MD5 hash:	c57167e8b33c683c78e4b4f3fc8cfe97
humanhash:	lion-eighteen-georgia-magnesium
File name:	valgnederlagenes.com.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	102'400 bytes
First seen:	2020-06-09 11:53:57 UTC
Last seen:	2020-06-09 12:48:36 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	70e5e0c510dfdfe56354b0535933a9bf (8 x GuLoader)
ssdeep	1536:ze4u4c/lEiwWnSKBCTYdVen5J+GJNwK7OosYY8cnLhcQp9dOus89:ze/lBSKAToVeH++3alhcQZOus89
Threatray	1'998 similar samples on MalwareBazaar
TLSH	31A39EBABAD16FA1F5440AB539B4866820BBBC3112C1C61F63C06F3E2672D95F472353
Reporter	abuse_ch
Tags:	exe geo GuLoader TUR

abuse_ch

Malspam distributing GuLoader:

HELO: ber-sa.com
Sending IP: 45.153.241.147
From: surat<admin@ber-sa.com>
Subject: ISTANBUL PROJECT-OFFER REQUEST
Attachment: PO-order782637728278727783.img.iso (contains "valgnederlagenes.com.exe")

GuLoader payload URL:
https://onedrive.live.com/download?cid=2A23967391108A38&resid=2A23967391108A38%21106&authkey=APY1s0yVrWA_NOk

Intelligence

File Origin

# of uploads :

2

# of downloads :

89

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Loki

Link:

https://www.capesandbox.com/analysis/7300/

Detection(s):

SecuriteInfo.com.BehavesLike.Win32.Generic.ch.13057.UNOFFICIAL

Gathering data

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2020-06-09 11:55:08 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=x3roowtrq64nlhdc4n2clikjtbiszxdnltyaemkrvudr6b2q6tdq._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

guloader

Similar samples:

0f9f76e8ffa64b600745b99b8f7b51cfa151299424e6523995c6c0bcd7a5cd6b

136951ab2919602366049b534cc5159e1d6da7bc46a9131ce292dcefaf05c449

439b4bf202d997d215433860e0b2e2ccf9a53dde53f3c4a0482450d4550c4edf

983a50787533f7fb48c7aeccfe0cc8ea3b16a76a39b22a1668ef800ed56556f6

a604cb5bd365ad6662b63b91c891d9af6c02a4fd89d29d6ad775d9401b31ac14

ad64a6eaa5d2494a4161158792e7cde3fb7d9a7bd36f06cc0de271192582f439

ae6a500ab45e86279c34a92c49d12f73716f0a492075180cdad48a761bf38b49

b584d8b69ef7c3f2689e4cecbec9932b84ca55e03c87b1aa9a9b9f56a1ba6c94

f96524898a01e5bad30e3d007cd96ba787a25419141210042df0bff2afab6a02

fa905ffdb00ec8867a003c49ebfa43f6ff96b890c40b3fe31b0fc40bb344ded0

+ 1'988 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-f7hn9gfxja/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

iso 7b1192226860030d38e1907eb617eed0c8d3ecf5eff7ee0bd60f110e0c5f7ee0

exe bee2e75a7187b8d59c62e37425a14998512cdc6d5cf0023151ad071f0750f4c7

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/384566/

Dropped by

MD5 86e55df25ca9fe2ffcf91927a269c5c6

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 7b1192226860030d38e1907eb617eed0c8d3ecf5eff7ee0bd60f110e0c5f7ee0

Cape

Cape

https://www.capesandbox.com/analysis/7300/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample