MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 97e961ffd1883624c6629f8e621d86ac6388751a15a851c33eb12006ab9e1bff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 97e961ffd1883624c6629f8e621d86ac6388751a15a851c33eb12006ab9e1bff
SHA3-384 hash: ecf1b716b25e7a686c667a9e6144194b9fcc18db681bd22c8fc8f44159a1587fb22eea04a286b8e7ea0ce0c051f577ea
SHA1 hash: f15f180cbec1bc326d592069e225039f742d3db0
MD5 hash: 7742d378ed84a9d448428470298de3b9
humanhash: papa-timing-papa-leopard
File name:purchase list.pdf.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:102'400 bytes
First seen:2020-03-30 16:40:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f757db26df96b65b64691d065d19b631 (1 x GuLoader)
ssdeep 1536:fS429cE1v/uHykZC0o1bcaeMFWTkMaxoY:fQDvKRC0m7d
Threatray 1'122 similar samples on MalwareBazaar
TLSH 7FA3C413FA00BCA5D1384DB59BB29B9C1355BF256E08BE43348D3EDE7AB11903152E9B
Reporter abuse_ch
Tags:COVID-19 exe GuLoader


Avatar
abuse_ch
COVID-19 malspam campaign distributing GuLoader->AgentTesla:

HELO: hhs.gov
Sending IP: 209.58.149.66
From: Sheila Conley <sheila.conley@hhs.gov>
Subject: URGENT NEED: U.S. Department of Health & Human Services/COVID-19 Face Mask/ Forehead thermometers
Attachment: purchase list.pdf.gz (contains "purchase list.pdf.exe")

GuLoader payload URL (AgentTesla):
https://onedrive.live.com/download?cid=7A5E689DD1DC641F&resid=7A5E689DD1DC641F%21107&authkey=AE9g4jRbU5iqkJ8

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Rogue.0hr.20200330-1610.UNOFFICIAL
Create hunting rule

Win.Dropper.Remcos-7647550-0
Create hunting rule

Win.Trojan.Ponystealer-7648176-0
Create hunting rule

Win.Trojan.Generic-7648215-0
Create hunting rule

Win.Dropper.Remcos-7683428-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-03-30 18:59:00 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
26 of 30 (86.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=s7uwd76rra3cjrtct6hgehmgvrryq5i2cwufdqz6weqank46dp7q._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
006bb451c7207fa375e67a1684a97136a46beea1ff74e193eb4bbf6665a0ec9b
GuLoader
09476389f92f23216cbb99cf3dce7e07deee2fdc29d63b066aef91e9b1a78197
GuLoader
15c365dfb62dc041e46ede5ae90f2e0966d1000b5936f0ed5d68f5d10e813171
GuLoader
2ed2a56967e7cb3e18b8b2cb910b9e6d356a52a9b65a05309c36ec62fa09773c
GuLoader
6f47b4825836d58654b05deac55c892825a83e479c406b9b027a0dc6bd8e3938
GuLoader
9bebd6b8400a02ec36958c8cf06d3abc659b462d482fca3df8a3a64e42b3e234
GuLoader
9d545cae8b73e11800aaf794b2919bb8972511e4e217eaf1a51c3f38c17bb412
GuLoader
a570592bf5a21c1f55712fcec60a0536fedabe28b409d9a48fdc499185e154ff
GuLoader
d7162b14867eff2ee6b1c0506f91c4e8c1a1cea0ddae632bd49156a179549772
GuLoader
fd70366a0abed417301e2a312927e5697e8ded01a50c830b408978fb61ff9241
GuLoader
+ 1'112 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

gz 533d468a0feb495dc12aa8d399844ebdb03c56eab5b04fbdadc4fa65c68138cf

GuLoader

Executable exe 97e961ffd1883624c6629f8e621d86ac6388751a15a851c33eb12006ab9e1bff

(this sample)

AgentTesla

Executable exe 668c31c58c0816f31b863d088cb88ff43f7c69aeae0e21734f96dd9a5992a872

  
URLhaus
https://urlhaus.abuse.ch/url/332150/
  
Dropping
AgentTesla
  
Dropped by
MD5 742af44a98bb358463a97e51c8d54fad
  
Dropped by
SHA256 533d468a0feb495dc12aa8d399844ebdb03c56eab5b04fbdadc4fa65c68138cf
  
Dropping
MD5 423a75776aac9ceaaaffc65c59fe7ef1
  
Dropping
SHA256 668c31c58c0816f31b863d088cb88ff43f7c69aeae0e21734f96dd9a5992a872
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 668c31c58c0816f31b863d088cb88ff43f7c69aeae0e21734f96dd9a5992a872

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
VB_APILegacy Visual Basic API usedMSVBVM60.DLL::EVENT_SINK_AddRef

Comments