MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 10e5aba7f34c9acff9ff3bd7d959fd719ca6327dc09f5dbdd976167ad6304f9c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
GuLoader
Vendor detections: 4
| SHA256 hash: | 10e5aba7f34c9acff9ff3bd7d959fd719ca6327dc09f5dbdd976167ad6304f9c |
|---|---|
| SHA3-384 hash: | f87f658bc9958b9822218e73922510bfb236d25e1a6127c1eff8a0c5c7127e65015bc49ddd4869df435d3be6de1d6def |
| SHA1 hash: | fd87f96e5a300f71278aa6ad1ccdb8dd01c1de2a |
| MD5 hash: | b0fb65f8075670b46aa1491da4f51c90 |
| humanhash: | beer-undress-skylark-winner |
| File name: | Payment Advice Note from 0324098457.exe |
| Download: | download sample |
| Signature | GuLoader |
| File size: | 114'688 bytes |
| First seen: | 2020-04-02 04:20:36 UTC |
| Last seen: | 2020-04-02 04:45:24 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 5932a6702dd61750604b6a37e5ee64b7 (1 x GuLoader) |
| ssdeep | 3072:TBtjiTHGb/fyQW6qqxFRsvPOW31bfrnb/dtXG12:TDVqQ+ |
| Threatray | 1'481 similar samples on MalwareBazaar |
| TLSH | C5B3E622F500FD94C1180DB3AF3586EC8274AD30AE09A94735C53F6EBBB51B5B681B57 |
| Reporter |  abuse_ch |
| Tags: | COVID-19 exe GuLoader |
abuse_ch
COVID-19 themed malspam distributing GuLoader:HELO: lamco.ae
Sending IP: 209.58.149.65
From: Shabeer M. T. <shabeert@lamco.ae>
Subject: Payment Assistance Due To Covid-19 Pandemic
Attachment: Payment Advice Note from 0324098457.pdf.z (contains "Payment Advice Note from 0324098457.exe")
HELO: h2.domains.sb
Sending IP: 52.10.241.220
From: Shabeer <shabeert@lamco.ae>
Subject: Payment Assistance Due To Covid-19 Pandemic
Attachment: Payment Advice Note from 0324098457.pdf.z (contains "Payment Advice Note from 0324098457.exe")
GuLoader payload URL:
https://drive.google.com/uc?export=download&id=1x4QIaEIYJueFynpzhwtnkaCxNkLmm3B0
Intelligence
File Origin
# of uploads :
2
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Gathering data
Threat name:
Win32.Trojan.Injector
Status:
Malicious
First seen:
2020-04-02 04:35:41 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
26 of 31 (83.87%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Similar samples:
+ 1'471 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_AUTHENTICODE | Missing Authenticode | high |
| CHECK_NX | Missing Non-Executable Memory Protection | critical |
| CHECK_PIE | Missing Position-Independent Executable (PIE) Protection | high |
Reviews
| ID | Capabilities | Evidence |
|---|---|---|
| VB_API | Legacy Visual Basic API used | MSVBVM60.DLL::__vbaObjSetAddref MSVBVM60.DLL::EVENT_SINK_AddRef MSVBVM60.DLL::__vbaLateMemCallLd |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.