MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a16deb69d9cd6cf259639a9584dbe98c0bc73395559f9afef7d9dc2784bb803c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	a16deb69d9cd6cf259639a9584dbe98c0bc73395559f9afef7d9dc2784bb803c
SHA3-384 hash:	6a69bae78a4d48a06f65a30b536d1bd81e7743cc657b2e600ab753f60857046881c1b1e8175168f5f0bd337e16ea66e0
SHA1 hash:	8c646ad84a211403083a62f15881c3c0c5103faf
MD5 hash:	1dc262d2ef81acaadbdcb9b423dd86af
humanhash:	shade-avocado-shade-green
File name:	proforma invoice.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	98'304 bytes
First seen:	2020-04-05 17:01:52 UTC
Last seen:	2020-04-06 06:30:01 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	0de25304b02317897aef95bd50193cc3 (1 x GuLoader)
ssdeep	768:adp3wziJ61NReeuLTQTG80gX8WCuJFp/DoauAD:qp3wwmReJL0y80gX8WC2FproAD
Threatray	943 similar samples on MalwareBazaar
TLSH	C1A3E652BD94FD21C6145E719D7A8AEC4126BC31ED45EA03B9CABFAE3C70180B612F47
Reporter	abuse_ch
Tags:	COVID-19 exe GuLoader

abuse_ch

COVID-19 themed malspam distributing GuLoader:

HELO: osakastainless.com
Sending IP: 103.99.1.149
From: Accounts <alt@osakastainless.com>
Subject: PROFORMA INVOICE 5974080 - RE: PO 019273682
Attachment: proforma invoice.zip (contains "proforma invoice.exe")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=1pEWWpbrZj-EhKgofuDAN34KdGhRFb8ns

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Dropper.Minix-7652403-0

Gathering data

Threat name:

Win32.Trojan.Malrep

Status:

Malicious

First seen:

2020-04-05 10:27:37 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 31 (80.65%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ufw6w2ozzvwpewldtkkyjw7jrqf4om4vkwpzv7xx3hocpbf3qa6a._file

Verdict:

malicious

Label(s):

guloader

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip acd0bf290ff756a624b8256baa018e98b4c461dcbd653e940b1d895bdeb1b561

GuLoader

exe a16deb69d9cd6cf259639a9584dbe98c0bc73395559f9afef7d9dc2784bb803c

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/335199/

Dropped by

MD5 21a8dc04d78957654fe3fff6eebf5270

Dropped by

SHA256 acd0bf290ff756a624b8256baa018e98b4c461dcbd653e940b1d895bdeb1b561

Delivery method

Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
VB_API	Legacy Visual Basic API used	MSVBVM60.DLL::__vbaObjSetAddref MSVBVM60.DLL::EVENT_SINK_AddRef MSVBVM60.DLL::__vbaFileOpen MSVBVM60.DLL::__vbaErrorOverflow

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample