MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9dae8af9343e2bb59a9c6cbfa04b09bcbffe2a75893d797ec2a9c50c6253afe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	c9dae8af9343e2bb59a9c6cbfa04b09bcbffe2a75893d797ec2a9c50c6253afe
SHA3-384 hash:	dbff3d2815d2cfb5f46df738fae752094e56251a8c329d951d319630ec5acac60c9a9e47d88ccf95a7c7e3a9423b793b
SHA1 hash:	77eb6d4e075559f9197ff18838e4862a31f12392
MD5 hash:	350b3c96ccf51dc960c09af122d98721
humanhash:	texas-cola-wyoming-crazy
File name:	Newster sterilizers.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	102'400 bytes
First seen:	2020-04-10 09:50:00 UTC
Last seen:	2020-04-10 19:02:36 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	b256f0cfba64901eb8b2f8b56c89c055 (1 x GuLoader)
ssdeep	768:cIQdXjsDJxMKJXlkRUDzUaa+lVrHcHdhI3apMayZ2+AfZ+HbBH:cIQerMKFWRJaa+lVr8zIWMayO6R
Threatray	802 similar samples on MalwareBazaar
TLSH	14A318117AA4FE65C80A0AB2AEB6C7FD21247E31CD48692735C13F5F39B14A27865F43
Reporter	abuse_ch
Tags:	COVID-19 exe GuLoader

abuse_ch

COVID-19 themed malspam distributing GuLoader->AgentTesla:

HELO: newstergroup.com
Sending IP: 103.99.1.149
From: "Barbara Ann Calisesi" <research@newstergroup.com>
Subject: Newster COVID-19 treatment references
Attachment: Newster sterilizers.zip (contains "Newster sterilizers.exe")

GuLoader payload URL (AgentTesla):
https://drive.google.com/uc?export=download&id=1DL1XK4elHi-JMY7m4Z1OQgOPBzhxeUwA

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Dropper.Fareit-7661431-0

Win.Dropper.Razy-7661440-0

Gathering data

Threat name:

Win32.Trojan.Fareit

Status:

Malicious

First seen:

2020-04-10 10:35:26 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 31 (83.87%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=zhnorl4tiprlwwnjy3f7ubfqtpf77yvhlcj5pf7mfkofbrrfhl7a._file

Verdict:

malicious

Label(s):

guloader

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip 691b6128674bb8ae31b99de783e7521ec7294dbaaa680fac5327275fc0ae452f

GuLoader

exe c9dae8af9343e2bb59a9c6cbfa04b09bcbffe2a75893d797ec2a9c50c6253afe

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/337876/

Dropped by

MD5 a5b728a0746f99d3d85ea9fe3d71f3d6

Dropped by

SHA256 691b6128674bb8ae31b99de783e7521ec7294dbaaa680fac5327275fc0ae452f

Dropping

AgentTesla

Delivery method

Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
VB_API	Legacy Visual Basic API used	MSVBVM60.DLL::__vbaObjSetAddref MSVBVM60.DLL::EVENT_SINK_AddRef

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample