MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4cd26d79cdab1d9f934cdee769ab7f1803735a120d95afb470a2466a088c4d5c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	4cd26d79cdab1d9f934cdee769ab7f1803735a120d95afb470a2466a088c4d5c
SHA3-384 hash:	68669169fce22dbaceda0e9186915fe0ca24b7d02221935eef88cc68236d1404490ae9aa4330eefad14cd4b4be48b47f
SHA1 hash:	7139641887ddee636bc466e15958e5e2cf9c1544
MD5 hash:	4e1300730e16c467e530149ac0569ff5
humanhash:	jupiter-fifteen-robin-johnny
File name:	Request for quotation for COVID-19 Products.bat
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	180'224 bytes
First seen:	2020-04-20 15:59:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4d2c213f3e1eb2609e6184c82d3a2fbc (1 x GuLoader)
ssdeep	1536:S/EeM1/HKo7+38r7tTrb8Bohal3Mas+S:SVOKdsrZHoB/3Mas+S
Threatray	707 similar samples on MalwareBazaar
TLSH	2704D812BE74E035C10806346D6AC7BED3547DE1E9E9454F6084BB2FBEB11E229E129F
Reporter	abuse_ch
Tags:	AgentTesla COVID-19 exe GuLoader

abuse_ch

COVID-19 themed malspam distributing GuLoader->AgentTesla:

HELO: sau-f9894-or.servercontrol.com.au
Sending IP: 118.127.60.69
From: CHARLES<info@bowersmedical.com>
Subject: Request for quotation for COVID-19 Products
Attachment: Request for quotation for COVID-19 Products.rar (contains "Request for quotation for COVID-19 Products.bat")

GuLoader payload URL (AgentTesla):
https://drive.google.com/uc?export=download&id=1hzN2z26Dl9juRy5b5bfWACeroI-ka7St

Intelligence

File Origin

# of uploads :

# of downloads :

110

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Dropper.NetWire-7679518-0

Win.Dropper.NetWire-7683365-0

Gathering data

Threat name:

Win32.Trojan.Androm

Status:

Malicious

First seen:

2020-04-20 12:27:20 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 31 (83.87%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jtjg26onvmoz7e2m33twtk37dabxgwqsbwk27ndqujdgucemjvoa._file

Verdict:

malicious

Label(s):

guloader

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

rar 5d76a392d98b23447d29ec1f85b01ed357b48f2ba6ac579fc5f322932efd9be5

GuLoader

exe 4cd26d79cdab1d9f934cdee769ab7f1803735a120d95afb470a2466a088c4d5c

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/346934/

Dropped by

MD5 5159a4416d06af5fb2cc0b3eec2f16bf

Dropped by

SHA256 5d76a392d98b23447d29ec1f85b01ed357b48f2ba6ac579fc5f322932efd9be5

Dropping

AgentTesla

Delivery method

Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
VB_API	Legacy Visual Basic API used	MSVBVM60.DLL::__vbaObjSetAddref MSVBVM60.DLL::EVENT_SINK_AddRef

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample