MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b39e4e2e3b7412b08824434b0cce7049fcca04761e4e88ba3ea510fabbd43d07. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	b39e4e2e3b7412b08824434b0cce7049fcca04761e4e88ba3ea510fabbd43d07
SHA3-384 hash:	762b3341bba175220234d3c89f4892c040271f1bb5b746c3dc2dcb76eed209373f9191c93116ec0a0fdf203b384c9213
SHA1 hash:	591c818b2b5e173d8a87438d60246a0583613557
MD5 hash:	0c65dbfcab3d666f8297152000fe6f6c
humanhash:	nuts-hotel-chicken-ceiling
File name:	New Order Set Documents.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	159'744 bytes
First seen:	2020-04-08 10:53:57 UTC
Last seen:	2020-04-08 11:59:40 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	2491a499ae1536e8116ee138d10e90d4 (1 x GuLoader)
ssdeep	1536:UFA+BcTGptd1AvWatywvUamxsiHHq0a9C2cTBU:CA+mS1VatywvUa3FMu
Threatray	759 similar samples on MalwareBazaar
TLSH	9BF3B5A57760FAE5F00608F4B979BE7864F83C312618640FFBC27365647AA49F834693
Reporter	abuse_ch
Tags:	COVID-19 exe GuLoader

abuse_ch

COVID-19 themed malspam distributing GuLoader:

HELO: vm02-monty.h4ahosting.com
Sending IP: 41.72.154.151
From: Lia Pozvek <dokadalogistique@gmail.com>
Subject: Re: TR: COVID-19 order RFQ
Attachment: TR COVID-19 order RFQ.img (contains "New Order Set Documents.exe")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=1v9S2PulMt_BVCwTNUMpWG9zdn2ft7Nzp

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Trojan.VBGeneric-7652592-0

Win.Packed.Generic-7663293-0

Gathering data

Threat name:

Win32.Trojan.Fareit

Status:

Malicious

First seen:

2020-04-08 08:28:50 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

27 of 31 (87.10%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wope4lr3oqjlbcbeinfqzttqjh6mubdwdzhiror6uuipvo6uhudq._file

Verdict:

malicious

Label(s):

guloader

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

img bd820055d253380a1b28583b2a6f4a320910303bde2ef5cd73d02a01c19d52e9

GuLoader

exe b39e4e2e3b7412b08824434b0cce7049fcca04761e4e88ba3ea510fabbd43d07

(this sample)

Dropped by

MD5 efbeca2e38234e8df651d1d95e605e35

Dropped by

SHA256 bd820055d253380a1b28583b2a6f4a320910303bde2ef5cd73d02a01c19d52e9

Delivery method

Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
VB_API	Legacy Visual Basic API used	MSVBVM60.DLL::__vbaObjSetAddref MSVBVM60.DLL::EVENT_SINK_AddRef MSVBVM60.DLL::__vbaLateMemCallLd

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample