MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fcca738b7492f0d6fdb6eada6c111a2361d128ec5420fdcf91b8b56f1ecdb102. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	fcca738b7492f0d6fdb6eada6c111a2361d128ec5420fdcf91b8b56f1ecdb102
SHA3-384 hash:	982c44c82530ceda3c40c02bf9f32617b325771097fef5af120aca73d322e76d3d7da38fc0f5090cf79fc545bed9b411
SHA1 hash:	bc2310bfc59c94756e5135b62f2537195058fe07
MD5 hash:	80a6e210f4c9a0939cf66666d01360e2
humanhash:	autumn-enemy-delta-moon
File name:	Count.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	90'112 bytes
First seen:	2020-05-12 16:07:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	401496c24c0f17d805cb39fba6623b58 (5 x GuLoader)
ssdeep	768:PsJQfCBXmlqv1Bf5ub6Lqdx9EdHVcZFg17uQQnk5ahtHf:BMX4wH5a6LOx9EsZUKFt
Threatray	5'274 similar samples on MalwareBazaar
TLSH	02935C1773D0D623DB258FF05B2A9BA8055BFC712941892775C23BBD6676B02E4303AB
Reporter	abuse_ch
Tags:	exe geo GuLoader KOR

abuse_ch

Malspam distributing GuLoader:

HELO: mail-smail-vm38.hanmail.net
Sending IP: 203.133.180.226
From: 한석 이엔지 <yosiki55@daum.net>
Subject: 첨부도면 견적요청 드립니다.(한석이엔지 입니다.)
Attachment: file.img (contains "Count.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

83

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Mal.FareitVB-AB.2288.21900.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Fareit

Status:

Malicious

First seen:

2020-05-12 22:56:43 UTC

File Type:

PE (Exe)

Extracted files:

6

AV detection:

23 of 31 (74.19%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7tfhhc3uslynn7nw5lngyei2enq5ckhmkqqp3t4rxc2w6hwnweba._file

Verdict:

malicious

Label(s):

guloader

Similar samples:

17ccd5b98d29f09cde5b49fee52602ac5e95c462c68f09c5f07d12d8a8cd8e0f

2548272de2d930f99b953bf466d49d5f850f4f9105ff420937edfa9ae70aff7d

3bd58e3b3fe712e8d7595cfbd576a96251c68a5dac230bd3e778640e8eb817ec

7c4fd841e891e2be6f0757679701669e927c58aedc94de97104666f0e89f6b04

7f6459ace4d6259e61c8170563af8a30f25568457902f4f717c8ad17574efab6

8842ac3497c777517b2f18152eabaa0994a460d249773a5e89a4e16bca2bd741

9d545cae8b73e11800aaf794b2919bb8972511e4e217eaf1a51c3f38c17bb412

ce860f3976ba5df3c4465a4b60d12980677dccc961a9fa91555c7b9de14c3dd8

d4f92eedf4a8eb72f4825a974b88d094fe8ec8604d18735602536060e65a471b

f38d170b1da421aa60e778a64fec953d3058336f7cb06568ba7926495fe87f0c

+ 5'264 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-wydtynr6s2/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks QEMU agent state file

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

img 46080225682415b0a1118da085aa79f8e06d26e36b7a43b9ecf58ee329717cad

exe fcca738b7492f0d6fdb6eada6c111a2361d128ec5420fdcf91b8b56f1ecdb102

(this sample)

Dropped by

MD5 9dde18ef7bb9e0b2a909e9aebef94866

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 46080225682415b0a1118da085aa79f8e06d26e36b7a43b9ecf58ee329717cad

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample