MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa8949da882bd317bc4b975dac2514553258a79a3ec0e7bb2e029f61e131ed66. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fa8949da882bd317bc4b975dac2514553258a79a3ec0e7bb2e029f61e131ed66
SHA3-384 hash: 673edf61e1709b7eb0de62ae55d45ae59a1276e5e2d24ceb77d542d4b1ab7b2df51b364b17628810b3751a5ca9f0e4f5
SHA1 hash: 3c5bcdb7672a9fc707a6286a2128c716894deb51
MD5 hash: 5c61b7a3bf87711d4bda5e69861d3ccd
humanhash: may-william-william-michigan
File name:UNDERS.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:86'016 bytes
First seen:2020-06-08 18:59:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8ee0f9312ca548bda7b79a41cab626e6 (1 x GuLoader)
ssdeep 1536:Zyf8uRtSWkD+SCRCOCRCcrZriaR0RYLSjgTUq9xttXHxQEE:ZyhoDO8F8cuhgtLP
Threatray 824 similar samples on MalwareBazaar
TLSH 5A838E1BBA2CC142D54406B12CF28F661B27BD1548826F4B72C6FE4FE8B57427DB622D
Reporter abuse_ch
Tags:exe GuLoader


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: genopem.tk
Sending IP: 135.181.24.152
From: international payment <iban@crdbank.com> <admin@genopem.tk>
Subject: Project: BAB Integrated Facilities Project (BIFP) Closing Date: 30th May 2020
Attachment: RFQ Document_pdf.gz (contains "UNDERS.exe")

GuLoader payload URL:
https://onedrive.live.com/download?cid=F5533CD060D35070&resid=F5533CD060D35070%21177&authkey=AIicpy7xxFYR5kQ

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/7165/
Detection(s):
SecuriteInfo.com.Win32.Injector.EMHI.11921.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-06-08 19:01:08 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7keutwuifpjrppcls5o2yjiukuzfrj42h3aopozoakpwdyjr5vta._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
0c69b80c225b95161ab357d6a35bf54846167a38bea69de84371c283ffcd0a8c
GuLoader
2ffbb987622b48ac9e1b3a53291f9af5a3949ba14019d43756a8219f66af0a86
GuLoader
494d5e5f87c9552bce9a4c255ab358cabb144982fca06703255e0ec791626865
GuLoader
7dc9d4200ada4d75e50d7c4ed86eef952334e4bb69da0464122682e7aff8d971
GuLoader
869df63edd9b9c96960da5d8022b1194c9f16b4a1f0b9ebfc7860e1aa2fe41a2
GuLoader
88dfd10d3d3b459c8284f0c64b88786c5770eb2b75436be9951ad1117c1b6a0f
GuLoader
b189f4b81e32c2be2c252d6f6ba160bf8566aa74be9642af4af5e3b424be54ca
GuLoader
de5da2008e231c60a227d6700248953651e0242542f07027e400760283b91d42
GuLoader
fc69637262c3ccd722552ece430c078195f3999934cccabdb2fcf0a6e2fe9446
GuLoader
fde85b3d5e4784dcef4c245c1db1ee0bb5d496fe4de8548594f569964715d515
GuLoader
+ 814 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-e1hqqz29zx/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_vobfus_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

gz 81ffbd434ad4f0bbf3c11f9dd9af3c125c9dd46e840180e41533d46712e06257

GuLoader

Executable exe fa8949da882bd317bc4b975dac2514553258a79a3ec0e7bb2e029f61e131ed66

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/383776/
  
Dropped by
MD5 86b5a334a61a16c252cb9d441fcb73fc
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 81ffbd434ad4f0bbf3c11f9dd9af3c125c9dd46e840180e41533d46712e06257
Cape
Cape
https://www.capesandbox.com/analysis/7165/

Comments