MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f6acfb0076b3a4e817b12f1f4e91eb89dbeeee1bca29d591949b73dfb604ef68. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	f6acfb0076b3a4e817b12f1f4e91eb89dbeeee1bca29d591949b73dfb604ef68
SHA3-384 hash:	16ae3df6c3bd6df958383db4174364d44362656652dfc8de6db4d7c95145b1edcb9d99f0ea7a47072b196138cd5bd083
SHA1 hash:	195f81939c849d387fb65a0b7d1e305c6fe9c487
MD5 hash:	10aa51722ee49f393ce1bfbc929991fc
humanhash:	cola-comet-island-music
File name:	E-Invoicing No.70015232_pdf.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	110'592 bytes
First seen:	2020-06-03 13:03:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	706d202c50f598b515a86950b382a89b (1 x GuLoader)
ssdeep	1536:EkSPfxV40U1B9ROkgrKHxLdGKc+o0FDHdZ1gIrvnfsfT2pIgpRcv:ElPXUl+KVdhjFD9znvGypRcv
Threatray	2'226 similar samples on MalwareBazaar
TLSH	C0B38C07ED4D8543C1448BBD3D178E793E1DA90D4E441BEF717AAE9BAD312422CAB12E
Reporter	abuse_ch
Tags:	exe GuLoader Maersk

abuse_ch

Malspam distributing GuLoader:

HELO: mail.abidjiaintl.ml
Sending IP: 155.94.211.87
From: MAERSK SEALAND - INVOICING SYSTEM <casy@abidjiaintl.ml>
Subject: Maersk Sealand Container Invoice No : 70015232 Bank Virtual Acc No : 9868 000127604
Attachment: E-Invoicing No.70015232_pdf.gz (contains "E-Invoicing No.70015232_pdf.exe")

GuLoader payload URL:
https://cmdtech.com.vn/build__ol_OrFUVF212.bin

Intelligence

File Origin

# of uploads :

1

# of downloads :

67

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/6267/

Detection(s):

Win.Dropper.NetWire-7996875-0

Win.Malware.Razy-7997182-0

Gathering data

Threat name:

Win32.Trojan.Fareit

Status:

Malicious

First seen:

2020-06-03 13:47:35 UTC

File Type:

PE (Exe)

Extracted files:

6

AV detection:

16 of 31 (51.61%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=62wpwadwwosoqf5rf4pu5eplrhn653q3ziu5lemutnz57nqe55ua._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

guloader

Similar samples:

0f9f76e8ffa64b600745b99b8f7b51cfa151299424e6523995c6c0bcd7a5cd6b

136951ab2919602366049b534cc5159e1d6da7bc46a9131ce292dcefaf05c449

439b4bf202d997d215433860e0b2e2ccf9a53dde53f3c4a0482450d4550c4edf

a604cb5bd365ad6662b63b91c891d9af6c02a4fd89d29d6ad775d9401b31ac14

ad64a6eaa5d2494a4161158792e7cde3fb7d9a7bd36f06cc0de271192582f439

ae6a500ab45e86279c34a92c49d12f73716f0a492075180cdad48a761bf38b49

b584d8b69ef7c3f2689e4cecbec9932b84ca55e03c87b1aa9a9b9f56a1ba6c94

c1f40574d76ccbf75a61e6bbd123b59d1c384cd2c8d435cbbb2bc54211615e3d

f96524898a01e5bad30e3d007cd96ba787a25419141210042df0bff2afab6a02

fa905ffdb00ec8867a003c49ebfa43f6ff96b890c40b3fe31b0fc40bb344ded0

+ 2'216 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-qhvs26nex6/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

gz bb939efc95b45c09f4d3599c0d19051ac901ed2568823163517ef5a0f6b2b13a

exe f6acfb0076b3a4e817b12f1f4e91eb89dbeeee1bca29d591949b73dfb604ef68

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/376004/

Dropped by

MD5 0d8931dcf3fc70273ccf0b90561a9988

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 bb939efc95b45c09f4d3599c0d19051ac901ed2568823163517ef5a0f6b2b13a

Cape

Cape

https://www.capesandbox.com/analysis/6267/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample