MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea38089348d047f0b0162a6d3404d579a42e355d62e01a7c1bc38c1af764717a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea38089348d047f0b0162a6d3404d579a42e355d62e01a7c1bc38c1af764717a
SHA3-384 hash: 9a83322942af39e800adc581a223417fe7981e78137cd5a3823155993b3e6a6edab513f811bbecbeb19608e353e43bef
SHA1 hash: 7a01b69e38bf1675d102e4e16e7787bc869f8ec4
MD5 hash: a2a1b64ca075b12dcedd232ab3b32451
humanhash: iowa-louisiana-apart-summer
File name:COVID-19 VACCINE- CURE- UPDATE.Xlxs.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:106'496 bytes
First seen:2020-04-14 17:31:14 UTC
Last seen:2020-04-14 18:39:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3f3bce4af1442e967ed3cc6d0ef8cdc4 (1 x GuLoader)
ssdeep 1536:4u/6JjOe+De4KIIi34l0spGGW6Ab+D7j+I1:4j8e4PcRt6SPP1
Threatray 933 similar samples on MalwareBazaar
TLSH 9DA3B461B494FE61CC168EB1AAF4DEE91821BD749DA03607B5C53E1F38B20E17B12F52
Reporter abuse_ch
Tags:COVID-19 exe GuLoader


Avatar
abuse_ch
COVID-19 themed malspam distributing GuLoader:

HELO: linux887.grserver.gr
Sending IP: 185.4.133.240
From: [ W.H.O ]WORLD HEALTH ORGANIZATION <worldhealthsupport@who.com>
Subject: W.H.O: COVID-19 VACCINE NOW READY FOR DISPATCH
Attachment: COVID-19 VACCINE- CURE- UPDATE.Xlxs.iso (contain "COVID-19 VACCINE- CURE- UPDATE.Xlxs.exe")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=1zcSB7nHWJ-EYvukNnOHdNlI5udPPlPPf

Intelligence

File Origin
# of uploads :
2
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Dropper.NetWire-7667577-0
Create hunting rule

Win.Dropper.NetWire-7667588-0
Create hunting rule

Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/342269
Behaviour
Behavior Graph:
n/a
Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-04-14 17:35:24 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5i4are2i2bd7bmawfjwtibgvpgsc4nk5mlqbu7a3yogbv53eof5a._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
163b0dbdbeb27d581695908c409f25a926613547da8cc08e844e2a93307bd9aa
GuLoader
5b89ef6de88e2a69a5f1f10d4a1ffcdb5a7562d184ff60162687f0e4d844f75f
GuLoader
6cfa6754f2c32d3856972eceda81e57c0a274c80419482b6fe3910966b67a114
GuLoader
a40a5e625d55583bfeb7d9ef900686a29dc3c6f580ca1615af7a2ad29f02761a
GuLoader
a4813ccf4c97f087ca7f2a12227496bbc8f5ef8b48f292981ac2504f2bc0f27b
GuLoader
ac4035cfb9c8a93c294fe1911bd4cd94ce403d8cdc301fa4bf113144b40d1245
GuLoader
aee6f41ba3393811f2980cec1714785039dd6cfcc629b81479fc376f635868c7
GuLoader
b666f8a605a45edebf5a3980675d00b84343a9b3c7a6d00fb90c37f40b55ac57
GuLoader
c882cc422e4039600b31e53e369f05b29dc9dd38cab76facef8a42adc8d326b3
GuLoader
cb108b44f7c1ce27111e05df5b00d405abd180fc46d280b78e9a137fd9858dbe
GuLoader
+ 923 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

iso cac240e2759b45458ca45869ad55883a994e52972bc165e242917960f2d0877b

GuLoader

Executable exe ea38089348d047f0b0162a6d3404d579a42e355d62e01a7c1bc38c1af764717a

(this sample)

  
Dropped by
MD5 f590e384897861fb9ecf4261aaf6db0c
  
Dropped by
SHA256 cac240e2759b45458ca45869ad55883a994e52972bc165e242917960f2d0877b
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
VB_APILegacy Visual Basic API usedMSVBVM60.DLL::EVENT_SINK_AddRef

Comments