MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa085719a6b5701dff065332e4fa698b8961acc2883e611576c178cf370eb5d7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fa085719a6b5701dff065332e4fa698b8961acc2883e611576c178cf370eb5d7
SHA3-384 hash: 78d652fd9b5348437e6ea763d3c26af43830658e19e81d1f367f640f5231d6206261755067136e29a238432a3e433ea5
SHA1 hash: 800b5266bb4b0c84e60b45aef239592ed6017f81
MD5 hash: 7ba591968fe72137459e109b02b72a2d
humanhash: seven-indigo-fillet-hawaii
File name:Safety Precautions Tips_PDF_.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:102'400 bytes
First seen:2020-04-02 15:18:16 UTC
Last seen:2020-04-02 15:48:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b37379ae97db3c0e0efbb6514561d99f (1 x GuLoader)
ssdeep 768:+KNNclYNbcjL+amtoAvo+K7CAvS/6h0bGqjZId2NSA/oHcTD:+sNHcjL4tzoNmAQ6hGrjqpAV
Threatray 673 similar samples on MalwareBazaar
TLSH A5A3D312BE90FD50D4044AB19E7A8BEC466AFC30DD916E07BAC43F6E3EB1151B641B47
Reporter abuse_ch
Tags:COVID-19 exe GuLoader


Avatar
abuse_ch
COVID-19 themed malspam distributing GuLoader:

HELO: highrollers.website
Sending IP: 173.254.251.92
From: Dr Peter D. Haytaian <belviewhospital@highrollers.website>
Subject: How to Stay safe Covid-19
Attachment: Safety Precautions Tips_PDF_.img (contains "Safety Precautions Tips_PDF_.exe")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=1zmKBkfiG8ycIBu0LtRT6hD285RCFhzBq

Intelligence

File Origin
# of uploads :
2
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Fareit-FRR7BA591968FE7.20166.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-04-02 15:35:24 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
25 of 31 (80.65%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7iefogngwvyb37ygkmzoj6tjroewdlgcra7gcflwyf4m6nyowxlq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
0daa29b9c74872bfe69ee54537140e75c43b9227c45d6d202df200d6f3ebeccd
GuLoader
1cc84d3c06c9a283218310ac6d69e7161fd7605339b78035747c6f51021475ff
GuLoader
284f5d7c77eab431e6dd8bdd9e508bbd1e2e3dc467b40f68b834b1a437061061
GuLoader
2d403f971f502d2423b11dcca6424edc460b6c290cb76107d7f36a37565791e8
GuLoader
46c1e795439ea1890c5617fb2234cff51ce6785e5b07b2acfc89ddeb86e34a39
GuLoader
81a658971e7a9f45c2237755d6e1d231f320d1fadf7356927ff782ae2ff22dea
GuLoader
a9892834c6f030fd7a292b213a39270e2fc991b6c9287fff73b540dd2b36e290
GuLoader
c7ead8266de17cda17f2c1cf6b146c616a092f2a4d2e59cf80e2815976c5932d
GuLoader
cf02bb3aa058cc571d6c3368f98a96fefa3db05a813ea479d002edc1c3cbdb95
GuLoader
fd2f15ef992f18f206d53d8d162ae4385f283e433bc038e1e61fb81686f2b4de
GuLoader
+ 663 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

img 09f7c89a757ab5c3a0112b898be5428c982f8d24cf9fc31225c50feb63c23707

GuLoader

Executable exe fa085719a6b5701dff065332e4fa698b8961acc2883e611576c178cf370eb5d7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/334012/
  
Dropped by
MD5 ab93534b5de3779f6b902c167a43bc21
  
Dropped by
SHA256 09f7c89a757ab5c3a0112b898be5428c982f8d24cf9fc31225c50feb63c23707
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
VB_APILegacy Visual Basic API usedMSVBVM60.DLL::__vbaObjSetAddref
MSVBVM60.DLL::EVENT_SINK_AddRef
MSVBVM60.DLL::__vbaFileOpen

Comments