MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fff764b24ed5c9f8116b1028a39721c6c3098e0153ed368283d3f4ad4539247b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fff764b24ed5c9f8116b1028a39721c6c3098e0153ed368283d3f4ad4539247b
SHA3-384 hash: 391ea6e45ad82b484f58aa36d94a58e20009fab47289df9548b7c0058540800877f74e3c6a9b82882af598305412e7f2
SHA1 hash: 3c76ea914c43e820dc76878135baaf0a50b182ea
MD5 hash: 30389540bc8fca7dc6f9c534299d3257
humanhash: lactose-monkey-freddie-colorado
File name:list.dwg.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:65'536 bytes
First seen:2020-06-10 06:51:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f9afc6dffb64a5570786b407e3071e38 (1 x GuLoader)
ssdeep 768:bcv2GMjJvbviB7Ucvdqz/neTo455PsjfKZ4wHDv+xly0SOwHGlxTfOHyeHlNT6e8:bcOG0yW/e8455PYp2Dv+x6OGGlxT8
Threatray 810 similar samples on MalwareBazaar
TLSH 90533B1B2D48DB63E02087F0297296A13625AC2976057F477A8C7F59EF335C27DD321A
Reporter abuse_ch
Tags:exe geo GuLoader KOR


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: mail-smail-vm43.hanmail.net
Sending IP: 203.133.180.231
From: 김승준 <hseng5491@hanmail.net>
Subject: 견적요청의 件:HYUNDAI MASS QUARANTREAT PROJECT
Attachment: HYUNDAI MASS QUARANTREAT PROJECT.CAD.lzh (contains "list.dwg.exe")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=1ODXvlJ99IWe_pta07ZMHgSM_7SFRqxTb

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/7473/
Detection(s):
Win.Malware.Malwarex-8014471-0
Create hunting rule

Win.Malware.Malwarex-8014474-0
Create hunting rule

Gathering data
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-06-10 06:53:04 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=773wjmso2xe7qellcaukhfzby3bqtdqbkpwtnaud2p2k2rjzer5q._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
17314d9e48839344dafc7dbdb9af89ad08603a106fb09eda8f74af42dd8a8252
GuLoader
3a58b6a2f3d61ce467d8cbd7963b2224adeccfe5dc865eee164b7879f325a460
GuLoader
8d4b6b5a3f228456841a6627f6b4fe4de260e1261e312b30b62120d5297e68c1
GuLoader
99d07b0682434235023da65216efdcc624d66c436e80745614315d4c68e8735f
GuLoader
b022be4adc35569368e23da7b344c4f9a4ce9efffaf1013d1fc778cb2b58f67f
GuLoader
b8565239fc984ae11a613ad6a80eebcf3e006125c8e6240583a0365669c32397
GuLoader
c8bdfc9eea22464897b3dae7829464348f27a1ff1989cf33d1de95bc0a99527f
GuLoader
dd7268284b041dafef56b6a8a4b565b3a0c54e1eaacc68121a1688e03798e72d
GuLoader
ea0bcb9c44a356945727a78ca03b727f5ce4dd69accb51dc7fee5918477133be
GuLoader
fa751279651f9e4ac9597b9b38bca7f47dffe1ce47b400914667f6b03585e4d5
GuLoader
+ 800 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-etfzt7vdpe/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

rar c466e906fdf4ae5f21e799aaabb4e34652bc1219db0bb3a241340678b24459d9

GuLoader

Executable exe fff764b24ed5c9f8116b1028a39721c6c3098e0153ed368283d3f4ad4539247b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/385099/
  
Dropped by
MD5 66a3c1b8798f7cb1c3b224c1554f3482
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 c466e906fdf4ae5f21e799aaabb4e34652bc1219db0bb3a241340678b24459d9
Cape
Cape
https://www.capesandbox.com/analysis/7473/

Comments