MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dfe66d2e7938bed4e4452f82519a8b02d0ac89e74341a4abee8b2ec1c6a7ffb6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	dfe66d2e7938bed4e4452f82519a8b02d0ac89e74341a4abee8b2ec1c6a7ffb6
SHA3-384 hash:	fdaee5dbb11b95f11e000538ae2392ad01b69b78239f8bb0c94c81301225476f3a35d461c9f29be1ab878e5d15e3f286
SHA1 hash:	47aac5437f3955d9188e8102630d7a306b85608a
MD5 hash:	b63bce599154f33fbac6580ddd6d14b7
humanhash:	fruit-foxtrot-carbon-ohio
File name:	Daiho_Sea_Air_Invoice_pdf.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	81'920 bytes
First seen:	2020-06-05 13:37:00 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3f90a8053f45e5d2252b6c5ee35aa947 (1 x GuLoader)
ssdeep	1536:DpyNDrdLtwYM32/weregrGowDwvXv0xzUH8Nd7U2S:NcrdhTM3YwQiE30xzPE
Threatray	2'351 similar samples on MalwareBazaar
TLSH	4B838D037D1CD982D15507B52D139EE92F27BD2848419E4B7528AF8EFDB138368E722E
Reporter	abuse_ch
Tags:	exe GuLoader

abuse_ch

Malspam distributing GuLoader:

HELO: novo.com
Sending IP: 83.166.243.90
From: Lee Si-eun <lee.hoh@daihosea.co.kr>
Subject: FW: Daiho - Please Confirm PI
Attachment: Daiho_Sea_Air_Invoice_pdf.gz (contains "Daiho_Sea_Air_Invoice_pdf.exe")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=1imMZwz4HguPdbDq4__E19bbPfL46ZNpn

Intelligence

File Origin

# of uploads :

1

# of downloads :

85

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Loki

Link:

https://www.capesandbox.com/analysis/6685/

Detection(s):

SecuriteInfo.com.CLOUD.27429.UNOFFICIAL

Gathering data

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2020-06-05 01:08:07 UTC

AV detection:

23 of 31 (74.19%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=37tg2ltzhc7njzcff6bfdgulalikzcphina2jk7ormxmdrvh763a._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

guloader

Similar samples:

20b3c1c5495ed7389cb63dfe6f990c7acd72edd8a6e385cbe698702647d44649

23eb70abd818d93364ae2f896425d05fd38788c54429f874fabade1671b267b6

890d50ea38e546ea886c5e1d211327e2d4573f3a55f1afc56eacc36ed2187474

89e54f19c04bb28c90f0ee75419a149c8178f9841435a20be727506d0c9506d3

8e73f4dbd13dd1cf8475bab8fae351b8a05507e429bd3b3700fca13dc764d66a

bea57552e1978630f3038e4df06ea8fe0d34c9c1656c971f2bb01a894b0f67eb

bf6d2e90c5fd6b327f1e513402eb01491ac8487b682243450ad684de5e6e62d4

d05800ab82af8100fbb6ee66729de2aa580f8acde780df49ef14b4213f316e87

e01f7d5f5a34bc9fde408c3f3fb441b76b6a2c3e2915cbf98ac5ca84e61e2b5d

e09fbb76c70deb9d0d2b2eb99f4d179783e54fc42440c8e478ee834457982f9e

+ 2'341 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-5nlhnq3das/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip c86eecebad683796df13e2ca9d95a2cacbdb9f149ba388cb1e0af9b590dccda4

exe dfe66d2e7938bed4e4452f82519a8b02d0ac89e74341a4abee8b2ec1c6a7ffb6

(this sample)

Dropped by

MD5 567d30ff7b55c5ce7a29ded374423fa7

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/6685/

Dropped by

SHA256 c86eecebad683796df13e2ca9d95a2cacbdb9f149ba388cb1e0af9b590dccda4

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample