MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a0c9160c101b0eeaa3cc660fd1e22abbd54d566068acdc2968afbef1590548c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a0c9160c101b0eeaa3cc660fd1e22abbd54d566068acdc2968afbef1590548c2
SHA3-384 hash: 971f7275f30f49f89004519800dba27800dbf0286c3bc36941891efe4f59b8983e5b14a506b4cca07a93a2a0ec85c1f0
SHA1 hash: 01f1870f01746519bc4f88363531c2ba6fa09046
MD5 hash: fccd5a4685849e97019d9bea12e19225
humanhash: nineteen-one-november-hot
File name:PO - RFQ # 097663899 NEW ORDER.bat
Download: download sample
Signature GuLoader
Create hunting rule
File size:98'304 bytes
First seen:2020-04-01 09:47:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fea065ae8c11884f8eb89db6761e9c80 (1 x GuLoader)
ssdeep 1536:lg041lTLRIbxhOPXWc+ONgOeQCRydcjw3eJkOVHH:a0Yl3M/U/+0gOwOgn
Threatray 1'345 similar samples on MalwareBazaar
TLSH 6CA3B516FE00CC64C1280DBA8B7587DC6355BE25AE19AA4335CD3EDE7FF62542102B9B
Reporter abuse_ch
Tags:COVID-19 exe GuLoader


Avatar
abuse_ch
COVID-19 themed malspam distributing GuLoader:

HELO: sm.smallz09800.live
Sending IP: 45.95.171.28
From: Syed Siraj <S.Siraj@technos-uae.com>
Subject: (Covid-19) PO - RFQ # 097663899 NEW ORDER
Attachment: PO - RFQ 097663899 NEW ORDER.rar (contains "PO - RFQ # 097663899 NEW ORDER.bat")
Attachment: PO - RFQ 097663899 NEW ORDER.IMG (contains "PO - RFQ # 097663899 NEW ORDER.bat")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=1f8UPIwMBRKGmzb0wiQ7lxeyIKkHb1A31

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Packed.Vebzenpak-7649913-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-04-01 10:35:35 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
18 of 31 (58.06%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=udermdaqdmhovi6mmyh5dyrkxpku2vtancwnykliv67pcwifjdba._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
006bb451c7207fa375e67a1684a97136a46beea1ff74e193eb4bbf6665a0ec9b
GuLoader
09476389f92f23216cbb99cf3dce7e07deee2fdc29d63b066aef91e9b1a78197
GuLoader
2ed2a56967e7cb3e18b8b2cb910b9e6d356a52a9b65a05309c36ec62fa09773c
GuLoader
5cd5f57afb04ba3ce4e5aaee5a7fa7d10b24a334e30911a49a4cc4cb52982848
GuLoader
5d615e82f2b0a90f4d7b50e17fa070d6ce5684bde0a5de1d0661f2d166af964b
GuLoader
70d577aba943b783ec606abcfa912bf97c9fd4f22d5e46ff1d718d350a8e4fcc
GuLoader
9bebd6b8400a02ec36958c8cf06d3abc659b462d482fca3df8a3a64e42b3e234
GuLoader
9d545cae8b73e11800aaf794b2919bb8972511e4e217eaf1a51c3f38c17bb412
GuLoader
d7162b14867eff2ee6b1c0506f91c4e8c1a1cea0ddae632bd49156a179549772
GuLoader
f17d48c8d179de191e519fa908648b977c09f91803b898d8e4fada52e423a8df
GuLoader
+ 1'335 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

img d6145b773686c6bb85a799cd902dabd6882f0b5b4afae293bc383fe844583b6f

GuLoader

Executable exe a0c9160c101b0eeaa3cc660fd1e22abbd54d566068acdc2968afbef1590548c2

(this sample)

  
Dropped by
MD5 b9f2467f2be098d687e421edf4c07aa7
  
Dropped by
SHA256 d6145b773686c6bb85a799cd902dabd6882f0b5b4afae293bc383fe844583b6f
  
Dropped by
MD5 38198bf2359938520c5bd1390553659a
  
Dropped by
SHA256 81dc9632982fa94601493b2966f4348ff7d70027aed6dbf1cfbe7b30730460fd
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
VB_APILegacy Visual Basic API usedMSVBVM60.DLL::__vbaObjSetAddref
MSVBVM60.DLL::EVENT_SINK_AddRef
MSVBVM60.DLL::__vbaErrorOverflow

Comments