MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ab96517f6852c124c82edf441496b2f005b11a4d1feb92f9cbfa2a2bffd1acb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7ab96517f6852c124c82edf441496b2f005b11a4d1feb92f9cbfa2a2bffd1acb
SHA3-384 hash: a7032181ef95b9da0cf7506b766243900a9e71ebfb52560baf0556a64c2240f744209e7b62f6b27bb26a0abff2c25cf5
SHA1 hash: 0caccf489130536d51fa8b210b170434d8b4e388
MD5 hash: 5f5a1aaf1ee00e8b0b0b6a62713053a2
humanhash: yankee-nine-grey-pizza
File name:REVISED ORDER.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:221'184 bytes
First seen:2020-04-21 17:48:29 UTC
Last seen:2020-04-21 22:42:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0423d0a3e2311a003d6bd832530bcba1 (1 x GuLoader)
ssdeep 1536:SKP5h81dkoxFBD8OXZ4zpS8JhHnF9YdGKyj2u2sOqCKjMbx3xxAOBT:5P5uDgOeFJJJItyStqybLKOBT
Threatray 5'135 similar samples on MalwareBazaar
TLSH 8F24F6816DB89427C70446315EE6D7FAC34C3DE0E9E1C94B20907B2BAF737861A6652F
Reporter abuse_ch
Tags:COVID-19 exe FormBook GuLoader


Avatar
abuse_ch
COVID-19 themed malspam distributing GuLoader->FormBook:

HELLO: pixel.hostlogic.sg
Sending IP: 103.255.250.151
From: Nassir Bechara <Enqui_ry@hotmail.com>
Subject: COVID 19 PENDIMG ORDER enquiry KH.O2333#
Attachment: REVISED ORDER.zip (contains "REVISED ORDER.exe)

GuLoader payload URL (FormBook):
http://kiencuonghotel.vn/3month_RwHwwlGA208.bin

Intelligence

File Origin
# of uploads :
3
# of downloads :
98
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Trojan.VBGeneric-7678218-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-04-21 17:56:48 UTC
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pk4wkf7wquwbetec5x2ecsllf4afwene2h7lsl44x6rkfp75dlfq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
08b47c6d183afb72f383ced4639ba73a03d9b36f06617585b3a3d28b69d1ce9f
GuLoader
17ccd5b98d29f09cde5b49fee52602ac5e95c462c68f09c5f07d12d8a8cd8e0f
GuLoader
27faaaca4acb955010d7b8c16764a536c04149f2d332f99668d6ff6f292bfc20
GuLoader
322427854deccec94e7331e8d3faa9f2701289b8e2faac322889c5b04d6b8f5e
GuLoader
3527457b184139953c43be59287281eb8f797e9cc8f3e9d637362276fe4f83a2
GuLoader
5dd8b3d4a4968fecce4bdee9ef9a29df44fa7ce4ad73002ba4dfc5ac14fa9c41
GuLoader
608f0e64c91d168bd7bae669335b4539cb8018772e948fb7ae36e8a95fd19604
GuLoader
7f6459ace4d6259e61c8170563af8a30f25568457902f4f717c8ad17574efab6
GuLoader
9fba6ffeb90dd242748718d8272a4942496e76a4f68bdb4dd42f93b044b5ed50
GuLoader
f38d170b1da421aa60e778a64fec953d3058336f7cb06568ba7926495fe87f0c
GuLoader
+ 5'125 additional samples on MalwareBazaar
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7ab96517f685/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip 8985c5cb73dffe5d35d7f8c3975ab629303f4f582d1f7f6134638c57d1f89862

GuLoader

Executable exe 7ab96517f6852c124c82edf441496b2f005b11a4d1feb92f9cbfa2a2bffd1acb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/347742/
  
Dropped by
MD5 83ba3633bd1900f3fd177db396d2808c
  
Dropped by
SHA256 8985c5cb73dffe5d35d7f8c3975ab629303f4f582d1f7f6134638c57d1f89862
  
Dropping
FormBook
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
VB_APILegacy Visual Basic API usedMSVBVM60.DLL::__vbaObjSetAddref
MSVBVM60.DLL::EVENT_SINK_AddRef

Comments