MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d9295800a68a51a4aab09c2785cd7887e867b59b267a1b2c27e0b06be7d1752e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	d9295800a68a51a4aab09c2785cd7887e867b59b267a1b2c27e0b06be7d1752e
SHA3-384 hash:	3e20751aa698a2d08fe92343d41c80e6121ca315de4d1d2fe624dd2aab5fd6611a6a5540cb011fe9b5ad46d2356b67f2
SHA1 hash:	dd355ba4027c8d1e186099b08d13437828f166f0
MD5 hash:	e0fb5abf495989506069e22c35d449b1
humanhash:	kilo-black-skylark-kilo
File name:	sniglbe.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	65'536 bytes
First seen:	2020-06-10 06:48:58 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ca58ee0ae1b28ee1b41cadbd5351615c (1 x GuLoader)
ssdeep	768:b6uGMjJvbviBAvriP/tXmoi0WP+uuA0FwFmB7OA0FZikgz66evLbx2FU:b6uG0dDEFXv3W3UOtFZikg4x
Threatray	1'045 similar samples on MalwareBazaar
TLSH	5D533A5B6E0CA953E16487B0296296A46719FC384501BF4B3F8C7F5DEA361827CE331B
Reporter	abuse_ch
Tags:	exe GuLoader

abuse_ch

Malspam distributing GuLoader:

HELO: box.dysonservicecentre.co.uk
Sending IP: 104.168.211.117
From: Anthony Such-uni <support001@dysonservicecentre.co.uk>
Subject: Dispatch Details // Invoice - EXP/23/20-21// Cont No- TGBU580623(1)40FT/Port-Norfolk//01x40ft
Attachment: Invoice - EXP23 20-21 Cont No- TGBU580623.pdf.img (contains "sniglbe.exe")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=1mgYo7MPYtJz7lS87QYpFURlhFP6pvBXB

Intelligence

File Origin

# of uploads :

1

# of downloads :

86

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/7458/

Detection(s):

Win.Malware.Malwarex-8014471-0

Win.Malware.Malwarex-8014474-0

Gathering data

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2020-06-10 01:27:29 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=3euvqafgrji2jkvqtqtyltlyq7ugpnm3ez5bwlbh4cygxz6rouxa._file

Verdict:

malicious

Label(s):

guloader

Similar samples:

17f52dbf63e20cb471e6da579551830186446d814a14162ec3569c62fb6f0771

4c83cd741a7210492c0146135bd247c08aac84ce75b26e520c1e74f806d71452

72eb2dc730e3574dcb204d37fcfb35cf91bacd8087d6028d743cb0992c874244

aa7170f4c174314d883e1d0a98a14b8256ab63b7ad80dffd45d0ace33ace4580

b022be4adc35569368e23da7b344c4f9a4ce9efffaf1013d1fc778cb2b58f67f

c98091ed44cd76e438ce2e7a9c71b57d37ff45903d365162040af94fa143b9f5

cebf765590be725ca5f5589e51a0e81236f6e63dae47f1cdff6029429827c0be

de5da2008e231c60a227d6700248953651e0242542f07027e400760283b91d42

e35d5297a515ddf23ac671f6110bb8f01a590e13d45dbeae5e96e0be414236b5

ea12fb909266d6a6f7315c8ffe0fcedb6b63ba660cd91e7c2ac4e6db14596171

+ 1'035 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-mftmce648j/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

img e9d1a02bfb9a34b7542e1d9caba92a912830a80b7c82b474d77b65fc95692004

exe d9295800a68a51a4aab09c2785cd7887e867b59b267a1b2c27e0b06be7d1752e

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/385259/

Dropped by

MD5 250954c8816e5a11d7a2565fda1374f1

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 e9d1a02bfb9a34b7542e1d9caba92a912830a80b7c82b474d77b65fc95692004

Cape

Cape

https://www.capesandbox.com/analysis/7458/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample