MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1df1f90da9a07dfe25f0368fc24830fd1513e938c590e9ca6cfbe422dcfedc38. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments 1

SHA256 hash:	1df1f90da9a07dfe25f0368fc24830fd1513e938c590e9ca6cfbe422dcfedc38
SHA3-384 hash:	d2996d9e139ed352d0033a63e86abace1fca642b3e8d65249733ba5eced939cf2bc8e730afa991dd5c8557167e7ffcc8
SHA1 hash:	081d6d1a88d7fa78b7330e45bed6ba7665c6ada7
MD5 hash:	f88785a5cd52bb711ad05f2962338d28
humanhash:	montana-comet-october-nebraska
File name:	new order.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	102'400 bytes
First seen:	2020-03-30 11:47:54 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a9981a3f3614529bb5e6bc37e7974859 (1 x GuLoader)
ssdeep	1536:r9Htv8mH7G4VO6s0g0o1bcaeMFWTkMat:BNv8aae60g0m7t
Threatray	706 similar samples on MalwareBazaar
TLSH	80A3E716FD00BD65E5284DB58B758BCC6342BE256E09BE07308C3ECE7AF12517542EAB
Reporter	abuse_ch
Tags:	COVID-19 exe GuLoader

abuse_ch

COVID-19 themed malspam distributing GuLoader->AgentTesla:

HELO: sg2nlshrout01.shr.prod.sin2.secureserver.net
Sending IP: 182.50.132.193
From: info <info@suntecmedical.com>
Subject: New order - Suntec Medical (Covid-19)
Attachment: new order.gz (contains "new order.exe")

GuLoader payload URL (AgentTesla):
https://drive.google.com/uc?export=download&id=1qnQeDhk__jgArpg3JU8NQtjQEDFu5Xnj

AgentTesla SMTP exfil server:
smtp.yandex.com:587 (77.88.21.158)

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Dropper.Remcos-7647550-0

Win.Dropper.Remcos-7647553-0

Win.Trojan.Ponystealer-7648176-0

Win.Dropper.Remcos-7683428-0

Gathering data

Threat name:

Win32.Trojan.Vebzenpak

Status:

Malicious

First seen:

2020-03-30 12:35:28 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

27 of 31 (87.10%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=dxy7sdnjub674jpqg2h4esbq7ukrh2jyywiotstm7pscfxh63q4a._file

Verdict:

malicious

Label(s):

guloader

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

gz 0a292683292cfbc5be87371a34a163b3d29dc6ff582c87625c0997b3dd31b777

GuLoader

exe 1df1f90da9a07dfe25f0368fc24830fd1513e938c590e9ca6cfbe422dcfedc38

(this sample)

AgentTesla

exe 3b579b5c48b467cb0e3a3b28773a63ce90b11a87f4baba15b98d0af36291a314

URLhaus

https://urlhaus.abuse.ch/url/331958/

Dropped by

MD5 dedfe963911bfe4788ba12c7ec586ece

Dropped by

SHA256 0a292683292cfbc5be87371a34a163b3d29dc6ff582c87625c0997b3dd31b777

Dropping

AgentTesla

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 3b579b5c48b467cb0e3a3b28773a63ce90b11a87f4baba15b98d0af36291a314

Dropping

MD5 bcf9b041ef47fa0fa402a343a4009db8

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
VB_API	Legacy Visual Basic API used	MSVBVM60.DLL::__vbaObjSetAddref MSVBVM60.DLL::EVENT_SINK_AddRef

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

commented on 2020-03-30 11:48:11 UTC