MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9806b77ee650d7150806bb52ab67e6925cb663622397c2d7110233d344aa885d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	9806b77ee650d7150806bb52ab67e6925cb663622397c2d7110233d344aa885d
SHA3-384 hash:	97348c38663f73fedef0d4987bd4962729d6ec757e0b891760e756ad41583499ba3d4fc7db51c0e75af90eb67f31ddd1
SHA1 hash:	26dc8212ee93e6c9027b48a2b7afcd109a6b30cb
MD5 hash:	5060d7ed01ad125fc717078a1bd6ad9b
humanhash:	cat-hotel-florida-six
File name:	Covid19 working procedure.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	98'304 bytes
First seen:	2020-04-06 11:00:27 UTC
Last seen:	2020-04-06 11:57:24 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f562806b1eb4e3fe8dfc8fff5afb24d7 (1 x GuLoader)
ssdeep	768:itvY1Lt8eL5A18oElbfO6NT8jj7MfyXFxRP1SFVthX:oYxx5A1fIfOLj7yyXL+tR
Threatray	134 similar samples on MalwareBazaar
TLSH	77A3F8167E90FEC2F4045EB18ABADFEC02E6FC31AD452A47A9C53B6E79301017991F46
Reporter	abuse_ch
Tags:	COVID-19 exe GuLoader

abuse_ch

COVID-19 themed malspam distributing GuLoader:

HELO: ns1.dpnotice.site
Sending IP: 138.197.174.33
From: Admin<admin@hamptonsteel.co.uk>
Subject: Re: Important COVID-19 Working Procedures
Attachment: Covid19 working procedure.rar (contains "Covid19 working procedure.exe")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=1Ua9LmJf-eY0X5E8f-hnFwbBAoOh5HT5B

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Trojan.VBGeneric-7650626-0

Win.Malware.Generic-7650850-0

Win.Malware.Generic-7652320-0

Gathering data

Threat name:

Win32.Trojan.Agensla

Status:

Malicious

First seen:

2020-04-06 11:36:24 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 31 (74.19%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=tadlo7xgkdlrkcagxnjkwz7gsjolmy3ceol4fvyraiz5grfkrboq._file

Verdict:

malicious

Label(s):

guloader

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

rar 1842813befed5e37a92f63d8c20108764399edccb0d418ed90027d2c46a43017

GuLoader

exe 9806b77ee650d7150806bb52ab67e6925cb663622397c2d7110233d344aa885d

(this sample)

Dropped by

MD5 43b871914700d8edbfa320fdf5546b3e

Dropped by

SHA256 1842813befed5e37a92f63d8c20108764399edccb0d418ed90027d2c46a43017

Delivery method

Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
VB_API	Legacy Visual Basic API used	MSVBVM60.DLL::__vbaObjSetAddref MSVBVM60.DLL::EVENT_SINK_AddRef MSVBVM60.DLL::__vbaErrorOverflow

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample