MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 efb24807a8af2cadae6d4e325c6cfcb47465db355cdbbe2fd002c06842aebdab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: efb24807a8af2cadae6d4e325c6cfcb47465db355cdbbe2fd002c06842aebdab
SHA3-384 hash: 07c687a73281e85061bcc1b1960a1c17665c855e8dae4052163b7d8fac14eb1d8f87127785ff24a4f0d209cb0b2a1d06
SHA1 hash: 3b784bc9ad1a7f8d34ec64cbbb8486dddf7008a3
MD5 hash: f296e01bdf8faf6f8c2627ad0e9c4c36
humanhash: mountain-sink-utah-magnesium
File name:COVID-19 Güncellemesi - DHL Express Temel Etkinligi.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:98'304 bytes
First seen:2020-04-06 17:34:07 UTC
Last seen:2020-04-06 18:46:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 542cf6bb8d4b9a0d6a92ca9253b3185e (1 x GuLoader)
ssdeep 768:DwePptnHavG11gMKxOA/IEDQjtR5/+sRRLZ9Fet:zPpN6vGMMKx1QuQj75/BRLZ9F0
Threatray 1'016 similar samples on MalwareBazaar
TLSH 8EA3E511BA50FDD1F8008EB29977DEAC56E5BC309E402A07B9C43B6E3DB15427A63F46
Reporter abuse_ch
Tags:AgentTesla COVID-19 exe geo GuLoader TUR


Avatar
abuse_ch
COVID-19 themed malspam distributing GuLoader->AgentTesla in Turkey:

HELO: gateway23.websitewelcome.com
Sending IP: 192.185.50.164
From: DHL EXPRESS TR <noreply@dhl.com.tr>
Subject: COVID-19'u güncelleştirme - DHL Express TURKEY temel faaliyeti (COVID-19'u güncelleştirme - temel DHL Express TURKEY etkinliği)

GuLoader payload URL (dropping AgentTesla):
https://drive.google.com/uc?export=download&id=1RqrfHL79u2Jrzdx6a-OGCpNBS7jcU5UG

AgentTesla SMTP exfil email address:
bin2laden@yandex.com

Intelligence

File Origin
# of uploads :
2
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Trojan.VBGeneric-7650830-0
Create hunting rule

Win.Malware.Generic-7650850-0
Create hunting rule

Win.Malware.Generic-7652320-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-04-06 17:36:13 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
24 of 31 (77.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=56zeqb5iv4wk3ltnjyzfy3h4wr2glwzvltn34l6qalagqqvoxwvq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
4c085d783c734f76e23572661c1692d7b2e4ad30dab5f6c108669d4141f97c99
GuLoader
6dcf4557563343e881daf4b7d7b01e372457cee637ac001a1102a2e67a69cbf8
GuLoader
7a7760c4a4b1244950ea0fd475c53005ced18cb314a2e0fc4499086582e1a5aa
GuLoader
8d88c99ff33ecbed42e4185b925f890a616aa0307a559d61595ab67dae6a1a09
GuLoader
8fa47ee760cf1c21de132ec77eef49282a2312f197aba6026ee1de750051014b
GuLoader
a3314185c4c7b813105231aa59fbf2045b1fa595fd4bf322370112926afc24a7
GuLoader
aee6f41ba3393811f2980cec1714785039dd6cfcc629b81479fc376f635868c7
GuLoader
ddf6f04276c1d976e62e199e6c928fb7a3d7aaec455a1859f8d8f605c89ffc64
GuLoader
e265bbf3f727ff892423b3e24b5368ab4f694c86334bf68ae62ff20dfd7ce5b6
GuLoader
fb6a49d393c339750c2effe7797cf304d7d9bb8c95fdaa3431af177f7a677ba8
GuLoader
+ 1'006 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

gz ca34d9a6aa92b930fcce953051db0dfb743f7e16d8b7613ab69585521ab0a61b

GuLoader

Executable exe efb24807a8af2cadae6d4e325c6cfcb47465db355cdbbe2fd002c06842aebdab

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/335847/
  
Dropped by
MD5 1a31389fdf964de72884a3f85bc000db
  
Dropped by
SHA256 ca34d9a6aa92b930fcce953051db0dfb743f7e16d8b7613ab69585521ab0a61b
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
VB_APILegacy Visual Basic API usedMSVBVM60.DLL::__vbaObjSetAddref
MSVBVM60.DLL::EVENT_SINK_AddRef
MSVBVM60.DLL::__vbaErrorOverflow

Comments