MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 067775099e8349a39928c3513c29a8f1910da84c60b11d33e83e7484ea9ba2da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 067775099e8349a39928c3513c29a8f1910da84c60b11d33e83e7484ea9ba2da
SHA3-384 hash: 060d247697dfb8f3c4fee36c2fbe3287e218be61267ef8a425d7ab19c1cdbad3d32e1aeb17959abc03adc6c99fc9558a
SHA1 hash: 8e76a37f314eee4fb2c8eb82c32de2e81d1851dd
MD5 hash: 9e28bb88afaaf6f6c8e23d3b5f3b3721
humanhash: wyoming-kansas-may-dakota
File name:Fedteradsens.vbs
Download: download sample
Signature GuLoader
Create hunting rule
File size:327'945 bytes
First seen:2022-12-22 13:17:14 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 6144:7zElTw6iCG/7yf4ExFv3nWDVl97jPE4/x6337hDNkQm5/dUDJa6:uaCG/7jE/v3nuz7jnozk0U6
Threatray 3'626 similar samples on MalwareBazaar
TLSH T170645AFF4E14569CC7893A5A9E830F4A87214F315CB29D1BABB106C52F32D2D85CA6CD
Reporter lowmal3
Tags:GuLoader vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
113
Origin country :
DE DE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/349048/
Detection(s):
SecuriteInfo.com.Script.SNH-gen.542.18904.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/63a4590a673d3bcb5ee0bc07/reports/f0b5b661-73ea-4e8c-a33f-d44dd3b2a4cf/overview
Result
Verdict:
MALICIOUS
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1139359
Signature
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Obfuscated command line found
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect Any.run
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 772089 Sample: Fedteradsens.vbs Startdate: 22/12/2022 Architecture: WINDOWS Score: 100 27 api4.ipify.org 2->27 29 api.ipify.org 2->29 37 Multi AV Scanner detection for domain / URL 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 Yara detected AgentTesla 2->41 43 May check the online IP address of the machine 2->43 9 wscript.exe 1 1 2->9         started        signatures3 process4 signatures5 53 VBScript performs obfuscated calls to suspicious functions 9->53 55 Wscript starts Powershell (via cmd or directly) 9->55 57 Obfuscated command line found 9->57 59 Very long command line found 9->59 12 powershell.exe 7 9->12         started        15 cmd.exe 1 9->15         started        process6 signatures7 61 Very long command line found 12->61 17 powershell.exe 12->17         started        19 conhost.exe 12->19         started        21 conhost.exe 15->21         started        process8 process9 23 CasPol.exe 15 12 17->23         started        dnsIp10 31 mail.mpmhino.com 23->31 33 api4.ipify.org 64.185.227.156, 443, 49774 WEBNXUS United States 23->33 35 5 other IPs or domains 23->35 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->45 47 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 23->47 49 May check the online IP address of the machine 23->49 51 5 other signatures 23->51 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/067775099e8349a39928c3513c29a8f1910da84c60b11d33e83e7484ea9ba2da/
Threat name:
Win32.Dropper.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-12-22 13:18:05 UTC
File Type:
Text (VBS)
AV detection:
3 of 39 (7.69%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=az3xkcm6qne2hgjiynitykni6giq3kcmmcyr2m7ihz2ij2u3ulna._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
13d8b891a0f9c00af8c624a5bfd24f42d15fba3e19225d29b9af39cd9f8cea03
GuLoader
76f4028be569b642d396b8e8936779493280aabcc3329f9058c19e78936c113e
GuLoader
7b2bcaa3723a8198c9a6f0878b77c7887554079e77e5c9b8f444570be1d744f6
GuLoader
8f6e203a52757cdb71ffbf15b696f0518f17862579863e139af08fafe1e1feb6
GuLoader
948eced5fa27e7fc39b404778a20a98d2614158f4f54f1d151de933066045b10
GuLoader
c144435ad3054ae4f0394ef2fd02e9829f9e579077860b3034d9d841e9d79a79
GuLoader
f805289346faa5efd7236e0d70094df7983b2bde22ff24a4955fd7a8cb7983a4
GuLoader
+ 3'616 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:guloader collection downloader keylogger spyware stealer trojan
Link:
https://tria.ge/reports/221222-qjxpyaee53/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks QEMU agent file
Checks computer location settings
AgentTesla
Guloader,Cloudeye
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/067775099e83/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/067775099e8349a39928c3513c29a8f1910da84c60b11d33e83e7484ea9ba2da

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:Guloader_VBScript
Create hunting rule
Author:Ankit Anubhav - ankitanubhav.info
Description:Detects GuLoader/CloudEye VBScripts
Rule name:WScript_Shell_PowerShell_Combo_RID32E7
Create hunting rule
Author:Florian Roth
Description:Detects malware from Middle Eastern campaign reported by Talos
Reference:http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Visual Basic Script (vbs) vbs 067775099e8349a39928c3513c29a8f1910da84c60b11d33e83e7484ea9ba2da

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/349048/

Comments