MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 3a7ff30bf0e05419f72ca60a9caa6033533d64236682557bdefd755cf72d5bfc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
GuLoader
Vendor detections: 3
| SHA256 hash: | 3a7ff30bf0e05419f72ca60a9caa6033533d64236682557bdefd755cf72d5bfc |
|---|---|
| SHA3-384 hash: | 6c10534a3c5ce16c1c041115a9b12cafed04b4ffe6c315fa53268b5283fc919e622d8e393c72aea33b1eb25a299b79c6 |
| SHA1 hash: | 2e859109618e477a6b6106b1eb5572776eb04fc2 |
| MD5 hash: | 6ef8f6ce249e8955951420497d130c8f |
| humanhash: | timing-batman-twenty-lemon |
| File name: | 3a7ff30bf0e05419f72ca60a9caa6033533d64236682557bdefd755cf72d5bfc |
| Download: | download sample |
| Signature | GuLoader |
| File size: | 1'038'338 bytes |
| First seen: | 2020-04-15 19:57:17 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | c20621304c1fe54782482e54a438a70c (1 x RemcosRAT, 1 x GuLoader) |
| ssdeep | 24576:CMadtPwuCNp0mFh6Bfd4mcDxP44x0B+/KTzn:CM+t4wmznp+Tzn |
| Threatray | 57 similar samples on MalwareBazaar |
| TLSH | CE255C21B291D436C1622A39DD2BE3FD98357F10ED2494873AE83F4E7F7625139252A3 |
| Reporter |  nbd33 |
| Tags: | AgentTesla COVID-19 GuLoader scr |
Intelligence
File Origin
# of uploads :
1
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
Win32.Trojan.Delf
Status:
Malicious
First seen:
2020-04-13 22:24:29 UTC
File Type:
PE (Exe)
Extracted files:
42
AV detection:
25 of 31 (80.65%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
unknown
Similar samples:
+ 47 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_AUTHENTICODE | Missing Authenticode | high |
| CHECK_NX | Missing Non-Executable Memory Protection | critical |
| CHECK_PIE | Missing Position-Independent Executable (PIE) Protection | high |
Reviews
| ID | Capabilities | Evidence |
|---|---|---|
| COM_BASE_API | Can Download & Execute components | ole32.dll::CLSIDFromProgID ole32.dll::CoCreateInstance |
| MULTIMEDIA_API | Can Play Multimedia | gdi32.dll::StretchDIBits |
| SHELL_API | Manipulates System Shell | shell32.dll::ShellExecuteA |
| WIN32_PROCESS_API | Can Create Process and Threads | kernel32.dll::CloseHandle kernel32.dll::CreateThread |
| WIN_BASE_API | Uses Win Base API | kernel32.dll::LoadLibraryExA kernel32.dll::LoadLibraryA kernel32.dll::GetSystemInfo kernel32.dll::GetStartupInfoA kernel32.dll::GetDiskFreeSpaceA kernel32.dll::GetCommandLineA |
| WIN_BASE_EXEC_API | Can Execute other programs | kernel32.dll::WinExec |
| WIN_BASE_IO_API | Can Create Files | kernel32.dll::CreateFileA kernel32.dll::GetFileAttributesA kernel32.dll::FindFirstFileA kernel32.dll::GetTempPathA version.dll::GetFileVersionInfoSizeA version.dll::GetFileVersionInfoA |
| WIN_REG_API | Can Manipulate Windows Registry | advapi32.dll::RegOpenKeyExA advapi32.dll::RegQueryValueExA |
| WIN_USER_API | Performs GUI Actions | user32.dll::ActivateKeyboardLayout user32.dll::CreateMenu user32.dll::EmptyClipboard user32.dll::FindWindowA user32.dll::OpenClipboard user32.dll::PeekMessageA |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.