MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f71b8185345a7a8d923db61ae9c9f68bb53b7c3d26e825aa80dca05c5879cc87. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	f71b8185345a7a8d923db61ae9c9f68bb53b7c3d26e825aa80dca05c5879cc87
SHA3-384 hash:	ac1347fd0cb05f071924bbc77c2fc22b41f9fb45addf74c5307ae5ac16d69214b10a0342d4f772f20a8f6b4e0eee3c0f
SHA1 hash:	2415dbc04f44bbf8e08d2b220cca62b19dcf0b4c
MD5 hash:	7dde7c9cd99e746cfba02aab9d123e95
humanhash:	kilo-hot-missouri-skylark
File name:	CMathari specification sheets pdf.bat
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	102'400 bytes
First seen:	2020-04-17 07:22:17 UTC
Last seen:	2020-04-17 07:49:39 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	8fc98dc152cc34f80507f4f1587627bf (1 x GuLoader)
ssdeep	768:L2HKMxdVwn9cUlBLF4XRFtrb0w4XCfPSPl1bY5t9FIyhh14NpbZAs:aHXxdVwnxlBKxn0w4XhbYkNlr
Threatray	703 similar samples on MalwareBazaar
TLSH	98A30920B694FE86D1254AB1AEB5C7FC4164BD32DD056E0B34C83F9F2A71A813461F6E
Reporter	abuse_ch
Tags:	COVID-19 exe GuLoader

abuse_ch

COVID-19 themed malspam distributing GuLoader:

HELO: cmatharihospital.co.ke
Sending IP: 209.58.149.66
From: "PROCUREMENT"<procurement@cmatharihospital.co.ke>
Subject: Re: Request for quotation for COVID-19 medical supplies
Attachment: CMathari specification sheets pdf.arj (contains "CMathari specification sheets pdf.bat")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=1JjINt15aGYMLnhka6bVHB0FaLAjpjyWg

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Dropper.Remcos-7686828-0

Win.Dropper.Remcos-7686834-0

Gathering data

Threat name:

Win32.Trojan.Injector

Status:

Malicious

First seen:

2020-04-17 07:35:35 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 31 (80.65%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=64nydbjulj5i3er5wynotspwro2tw7b5e3uclkua3sqfywdzzsdq._file

Verdict:

malicious

Label(s):

guloader

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

arj c1e5617a5333ec9fd9c3eaa4dc26f1510dbf31ce2282aa21f7c05d81d1231e91

GuLoader

exe f71b8185345a7a8d923db61ae9c9f68bb53b7c3d26e825aa80dca05c5879cc87

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/342032/

Dropped by

MD5 3b243488adcc1e7f4735495e3ff1b5f7

Dropped by

SHA256 c1e5617a5333ec9fd9c3eaa4dc26f1510dbf31ce2282aa21f7c05d81d1231e91

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
VB_API	Legacy Visual Basic API used	MSVBVM60.DLL::__vbaObjSetAddref MSVBVM60.DLL::EVENT_SINK_AddRef MSVBVM60.DLL::__vbaFileOpen MSVBVM60.DLL::__vbaLateMemCallLd

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample