MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea0bcb9c44a356945727a78ca03b727f5ce4dd69accb51dc7fee5918477133be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	ea0bcb9c44a356945727a78ca03b727f5ce4dd69accb51dc7fee5918477133be
SHA3-384 hash:	bd5c9666015892fac8935da1c9cf34bf091d9f7d8d223c20794191e8f5031dc4bb9d78ea97a41b4cb15ecf30d75fd9b9
SHA1 hash:	58726e3f67c24cb1a2bee2cb5439221155eb5e57
MD5 hash:	70d397bbb7c54497ae0d493c7f127de8
humanhash:	moon-sodium-undress-johnny
File name:	payment inv.scr
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	73'728 bytes
First seen:	2020-06-09 06:43:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	925ac815dbe61c0b3ca497842588ac94 (1 x GuLoader)
ssdeep	1536:bRuRtS34J5Ui1Zria6WDwCiKVV3uQ6W1e/:I4aHwCiKrZT1e
Threatray	5'120 similar samples on MalwareBazaar
TLSH	C1738D137C04C253E05046742C979E691B2BBC288981AFDF6599BF4FF8727526CAE23D
Reporter	abuse_ch
Tags:	GuLoader scr

abuse_ch

Malspam distributing GuLoader:

HELO: ny.libconsult.ca
Sending IP: 23.227.201.155
From: Shabeer M. T. <habeer@ny.libconsult.ca>
Subject: Payment Assistance Due To Covid-19 Pandemic
Attachment: payment inv.img (contains "payment inv.scr")

GuLoader payload URL:
https://ny.libconsult.ca/bin_dSDTDTjp42.bin

Intelligence

File Origin

# of uploads :

1

# of downloads :

87

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/7265/

Gathering data

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2020-06-09 06:45:06 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=5if4xhceunljivzhu6gkao3sp5oojxljvtfvdxd75zmrqr3rgo7a._file

Verdict:

malicious

Label(s):

guloader

Similar samples:

00983a8176276beea115d21fef7919c49b29b96d78dbc2151cc04cc7d8c95b35

16de0aa2d02fae6460bb173c9104df4fa758343ab226aea79a3910dce19fa58e

3d77c2490675a0f4e86f55ac8751a9a1912cd56bd168d9ae6c110cc385a65872

688ac9fd686d48bc6fec56f27e814c48d7849f548ef14d763dd446b61140c388

9e4dcaf1e587af9702c21677d6447f90eff8437573e8400a8668db31d7bc7c3e

a09022457c7802a48a3f2ef32b8008da65fb4b28b43c8e6ac37c44f0a3ecc028

c8b1244a4aa61a5efc1d6ced3ae0407111574eda81cbe9f01f269e5fae9bf4b5

d18ed67b05d0bbd6dfaba77a6053c92674bfef8abc8c7aae7c17f703adc6ea5c

e273d82c782a01c388cc619e6832bfb43301f4308884751b9393262302fc84c0

fed9e44ddb370d622427fbda5d67440fb3435f1461f8c3331ffff1e1abba560b

+ 5'110 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-3246bxa8ne/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

img 3a977332d457ea29fa7b3fdda0c4b0669181018beff8848a5cdb01ffc32f40d6

exe ea0bcb9c44a356945727a78ca03b727f5ce4dd69accb51dc7fee5918477133be

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/384288/

Dropped by

MD5 d035435c61c04ee08c31dfa822d0a957

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 3a977332d457ea29fa7b3fdda0c4b0669181018beff8848a5cdb01ffc32f40d6

Cape

Cape

https://www.capesandbox.com/analysis/7265/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample