MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c4c71e85ab589b9931f6ba87a00ac43d29ddc2907857c7226181fb56e4e278a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0c4c71e85ab589b9931f6ba87a00ac43d29ddc2907857c7226181fb56e4e278a
SHA3-384 hash: 979b37898d2bda2b1f5b1608d6bb39465a866e08c0bd6e84265a347add6aabe52441dd4fbac6ce7427d36d3af40f3964
SHA1 hash: d3200a54ed3c7d11bf69d2c50dab8743a98b6a82
MD5 hash: ef5ac1def1c0500f0e9f937a1e67328f
humanhash: apart-ten-early-bluebird
File name:088021ord_#PO.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:98'304 bytes
First seen:2020-04-06 10:55:56 UTC
Last seen:2020-04-07 04:52:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 193cafe6e8cf28865b8c88e826e123c6 (1 x GuLoader)
ssdeep 768:Lwzmljhtmy3r6/MMLcUFUH3ubcCjlEVh84jy5/4:qmhhoIr6NwiUH3ocC53u
Threatray 1'447 similar samples on MalwareBazaar
TLSH B8A3D326FAA4FEC1F8154EB1CA369E9805F9BC74ED002A0779C53B6E3CB11447A61B52
Reporter abuse_ch
Tags:COVID-19 exe GuLoader

Intelligence

File Origin
# of uploads :
6
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.Generic-7650850-0
Create hunting rule

Win.Malware.Generic-7652320-0
Create hunting rule

Win.Dropper.Minix-7652351-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Vbobfuse
Create hunting rule
Status:
Malicious
First seen:
2020-04-06 10:01:00 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=brghd2c2wwe3tey7nouhuafmipjj3xbja6cxy4rgdap3k3soe6fa._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
1b2e0d5dd025f3af551020940f5cb7bfa79ce059f90cb62bafc0c8490f197bc7
GuLoader
50d487621decc715e2b3e349679aba07ecb93d3ee55a3605ec0606d11a05dcd2
GuLoader
8d88c99ff33ecbed42e4185b925f890a616aa0307a559d61595ab67dae6a1a09
GuLoader
a3314185c4c7b813105231aa59fbf2045b1fa595fd4bf322370112926afc24a7
GuLoader
a8327d7e2395ea7fb71062275b3a7f24ce586d7ccd0301ed2a1df1699e2d9b9b
GuLoader
aee6f41ba3393811f2980cec1714785039dd6cfcc629b81479fc376f635868c7
GuLoader
bed06510d878aedc81671ebf83fb2dd246f88de58514124d166e0831b4d9c4d0
GuLoader
c884dcf4fa00359eeb51ead67cd41d9a68b71f09e3588f03456244eddaa36fa0
GuLoader
ddf6f04276c1d976e62e199e6c928fb7a3d7aaec455a1859f8d8f605c89ffc64
GuLoader
efb24807a8af2cadae6d4e325c6cfcb47465db355cdbbe2fd002c06842aebdab
GuLoader
+ 1'437 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

rar 091d738d434b010b21d985a4bb252851e9569097b59fff2c74d71a5b35db1115

GuLoader

Executable exe 0c4c71e85ab589b9931f6ba87a00ac43d29ddc2907857c7226181fb56e4e278a

(this sample)

  
Dropped by
MD5 16e8830c32372087bad71df23bb87dbc
  
Dropped by
SHA256 091d738d434b010b21d985a4bb252851e9569097b59fff2c74d71a5b35db1115
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 d8cffa81316810b399de9429242570da24231342b669b46917cb4270d752ac45
  
Dropped by
MD5 8f2cfc17bded0746ba9c8b7271cd2942

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
VB_APILegacy Visual Basic API usedMSVBVM60.DLL::__vbaObjSetAddref
MSVBVM60.DLL::EVENT_SINK_AddRef
MSVBVM60.DLL::__vbaErrorOverflow

Comments


Avatar
commented on 2020-04-06 10:56:01 UTC

COVID-19 themed malspam distributing GuLoader:

HELO: mail.pickelhost.com
Sending IP: 103.99.1.158
From: PURCHASE DEPARTMENT<frederik@barberajmeagher.gq>
Subject: RE: (COVID-19) CI OF NEW ORDER---3013670
Attachment: 088021ord_PO.rar (contains "088021ord_#PO.exe")