MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57acb5d89c02230f16fa4223e779f5defcb924a9e42ac05c245f91561c1c7fe0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	57acb5d89c02230f16fa4223e779f5defcb924a9e42ac05c245f91561c1c7fe0
SHA3-384 hash:	3764b60892b7b595b32479731be9e549c3a5b51d8f1676b71a77ca60978cc3d7899f13ec6e7cdf8bd6b40cb75c0ab723
SHA1 hash:	bb4bfeb65607118b810a47b6531dc9efe5bea100
MD5 hash:	30007fe97db1f5b971f219a10d5d9c44
humanhash:	ceiling-east-nevada-cat
File name:	product list.pdf.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	98'304 bytes
First seen:	2020-04-01 10:28:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	0a0959ec17ac32d837ad0c18ea4f071e (1 x GuLoader)
ssdeep	1536:scUYvRg3xNG7IHb5Pf7tv0emcv3ZfAIE/:fXkHG7IHbZfz4l
Threatray	1'026 similar samples on MalwareBazaar
TLSH	C7A3D626FA009C94D4280DB59B7597CC1359BE29AE09AE4734CC3EDE7FF13647012A9B
Reporter	abuse_ch
Tags:	COVID-19 exe GuLoader

abuse_ch

COVID-19 themed malspam distributing GuLoader->AgentTesla:

HELO: goldmedicalsupplies.com
Sending IP: 209.58.149.66
From: Sheila Conley <info@goldmedicalsupplies.com>
Subject: URGENT NEED: U.S. Department of Health & Human Services/COVID-19 Face Mask/ Forehead thermometers
Attachment: product list.pdf.gz (contains "product list.pdf.exe")

GuLoader payload URL (AgentTesla):
https://onedrive.live.com/download?cid=AE80108520D75992&resid=AE80108520D75992%21108&authkey=AAVaAf29YqFJ4Z0

AgentTesla SMTP exfil server:
smtp.1and1.es:587 (212.227.15.158)

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Packed.Vebzenpak-7649913-0

Gathering data

Threat name:

Win32.Trojan.Injector

Status:

Malicious

First seen:

2020-04-01 02:30:00 UTC

AV detection:

25 of 31 (80.65%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=k6wllwe4airq6fx2iir6o6pv336lsjfj4qvmaxbel6ivmha4p7qa._file

Verdict:

malicious

Label(s):

guloader

GuLoader

45f2c615dde960357bc53cf73082b5de83cf5c0cd93d7a9b339af308d1229f0f

GuLoader

47e0a9592dbd0f2aaf56ec183cf5936a24848ed72de02dc30848d033a28d00b4

GuLoader

5cc55fa0f006fc7c39f68a9aa2d7c2debe52c0e9f8ee955bacced2cf0d2aae8b

GuLoader

60c2a6a0bc12f4b6fd4ecb473d5de3d9de561ee3125055dbbf2d8ff12bb83f60

GuLoader

a16deb69d9cd6cf259639a9584dbe98c0bc73395559f9afef7d9dc2784bb803c

GuLoader

a40a5e625d55583bfeb7d9ef900686a29dc3c6f580ca1615af7a2ad29f02761a

GuLoader

aee6f41ba3393811f2980cec1714785039dd6cfcc629b81479fc376f635868c7

GuLoader

c882cc422e4039600b31e53e369f05b29dc9dd38cab76facef8a42adc8d326b3

GuLoader

e45490584a68e394f6714a78c96988adc241fd3acd783337bd66f26117535454

GuLoader

+ 1'016 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

gz 4219ea9690a8264a7d85b81334d313e6a8a1a41a3d63cbadfabf1e7f37516881

GuLoader

exe 57acb5d89c02230f16fa4223e779f5defcb924a9e42ac05c245f91561c1c7fe0

(this sample)

AgentTesla

exe b788eb3fa4068c4846abac921c00bb9142ce5f19944553055603d1a174aed5a0

URLhaus

https://urlhaus.abuse.ch/url/333129/

Dropped by

MD5 b4af9ae0adc403e0f5d98169abf5053d

Dropped by

SHA256 4219ea9690a8264a7d85b81334d313e6a8a1a41a3d63cbadfabf1e7f37516881

Dropping

MD5 8f3374cfbb9e8a4e755d5d81aa854956

Dropping

SHA256 b788eb3fa4068c4846abac921c00bb9142ce5f19944553055603d1a174aed5a0

Dropping

AgentTesla

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 b788eb3fa4068c4846abac921c00bb9142ce5f19944553055603d1a174aed5a0

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
VB_API	Legacy Visual Basic API used	MSVBVM60.DLL::__vbaObjSetAddref MSVBVM60.DLL::EVENT_SINK_AddRef MSVBVM60.DLL::__vbaErrorOverflow

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample