MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 54dd660151b98bcbe222d290c2407d654786b72bc2bcdd0293cd8741a1e20266. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 54dd660151b98bcbe222d290c2407d654786b72bc2bcdd0293cd8741a1e20266
SHA3-384 hash: 5c82c4c43358e0031c4d4d714c84af8df7484456fdf6b9e7023e3e756fc1bf173e1af716d36829dffdb1f160cd4133a7
SHA1 hash: 47656955941ec1acb81dad42eeb44dc868049de5
MD5 hash: e1c7ab2be11ce9dee2f0f91263a1fb64
humanhash: fish-blue-yankee-salami
File name:New-Purchase-Order-PO09765.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:102'400 bytes
First seen:2020-03-31 11:54:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8457980025184ec4ed4677154bbad222 (1 x GuLoader)
ssdeep 768:Mi/ZffhOVzm3lPP78a8Wd0DuVOETvDW779ViXI7SvbW/8VGsTAHk:MwfhO0lPVd0aVRrW779VihvzVGW
Threatray 5'359 similar samples on MalwareBazaar
TLSH 46A3E412FE04FCA4D1280DB68B759ADC13567E396E45AA4334C93EDE7BF16943102E8B
Reporter abuse_ch
Tags:COVID-19 exe GuLoader


Avatar
abuse_ch
COVID-19 themed malspam campaign distributing GuLoader, sent from Yahoo mailservers:

HELO: sonic315-43.consmr.mail.bf2.yahoo.com
Sending IP: 74.6.134.217
From: Bervin Teo <bervinteo@yahoo.com>
Subject: Covid-19 Transfer slip Down payment made to you company account
Attachments: New-Payment-Order-PO09765.img (contains "New-Purchase-Order-PO09765.exe")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=1zxWcClsNgcNjA860ENhdx2F6Ih_C9WqL

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Dropper.Remcos-7647550-0
Create hunting rule

Win.Trojan.Ponystealer-7648176-0
Create hunting rule

Win.Dropper.Remcos-7683428-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-03-31 12:35:47 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
24 of 31 (77.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ktowmakrxgf4xyrc2kimeqd5mvdynnzlyk6n2autzwdudipcajta._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
043ba161ac2f0d30c5a15799d3ce26ec63989d278f58867aeff64ce7ecb41f42
GuLoader
157ef05047452109ec1552af00806f1469254bc14a5cc942e41180ee82d508a7
GuLoader
1edf8c6bcf0ae2b38e9e28bcb1fd838c2ea35b5b126e4bc9e42daa2e1e722298
GuLoader
26d95099636e212fccb35c4865a6aaee393079698b6c3a6f0a07ef2960a845b0
GuLoader
2a11f8f83b6c7fc23742f76d10d013aef543026557ddcd62879a638f6fd00c52
GuLoader
330cc7a94a8d40b4588313605d103e425e9a2530bf19e32b6cd61a786a6b8c04
GuLoader
77168234eb706333e4835666a00a8fd8e110959660c97e5c5528ed3a3d0f5081
GuLoader
8842ac3497c777517b2f18152eabaa0994a460d249773a5e89a4e16bca2bd741
GuLoader
9b7aafdd3549d2f40208d8cbf57b3763d033bfe15a31541a3ca7329e7c2d61d6
GuLoader
ebfc26187e0b0ad6924461b1f2476321c53b5a23fbfe246e3ed5a475a1ea5678
GuLoader
+ 5'349 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

img 0e3dc6ef2566c39ad59779b75b29288f9d5d5313240e68641e211c8a427b670d

GuLoader

Executable exe 54dd660151b98bcbe222d290c2407d654786b72bc2bcdd0293cd8741a1e20266

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/332564/
  
Dropped by
MD5 8744448d01bd1cff1a5e79bd64efe126
  
Dropped by
SHA256 0e3dc6ef2566c39ad59779b75b29288f9d5d5313240e68641e211c8a427b670d
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
VB_APILegacy Visual Basic API usedMSVBVM60.DLL::__vbaObjSetAddref
MSVBVM60.DLL::EVENT_SINK_AddRef
MSVBVM60.DLL::__vbaErrorOverflow

Comments