MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 086fd488622c16461d2c60ca3cd42a7d5147978f1624e51a04c7ceedcaa71c6c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 086fd488622c16461d2c60ca3cd42a7d5147978f1624e51a04c7ceedcaa71c6c
SHA3-384 hash: c4a8c17104b86e8568691781d42e52411549bd2316ca0c0fc022a63975d91f94651d50bd4948ace82170d43631a469cd
SHA1 hash: a937ff3a170376190fe711f2a4a5946e737872c0
MD5 hash: c4610edd5f00bd7d8ea938515adaa32c
humanhash: charlie-ceiling-seventeen-yellow
File name:awb_shipping_documents_26_03_2024_000000000.vbs
Download: download sample
Signature GuLoader
Create hunting rule
File size:243'328 bytes
First seen:2024-03-26 12:44:55 UTC
Last seen:2024-03-27 07:30:54 UTC
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 6144:tuhQMLtOBxJrv5lttSP4KuK8jWwoipSRUiGT9rS2fTicm7vImuQ+HsAVnh:OkVBJHJVnh
Threatray 159 similar samples on MalwareBazaar
TLSH T1D7342BF0CFCA36394F4B2FDAAD24445289F98199021228BDA6D917AD7243D2CD3FED54
Reporter abuse_ch
Tags:GuLoader vbs

Intelligence

File Origin
# of uploads :
4
# of downloads :
114
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm masquerade
Link:
https://www.filescan.io/uploads/6602c35387afdf0403618475/reports/56e79ff0-eed8-4b98-8c86-0ac9b1fe1779/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/086fd488622c16461d2c60ca3cd42a7d5147978f1624e51a04c7ceedcaa71c6c
Result
Verdict:
MALICIOUS
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
FormBook, GuLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1415784
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Potential malicious VBS script found (suspicious strings)
Powershell uses Background Intelligent Transfer Service (BITS)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queues an APC in another process (thread injection)
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses cmd line tools excessively to alter registry or file data
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected FormBook
Yara detected GuLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1415784 Sample: awb_shipping_documents_26_0... Startdate: 26/03/2024 Architecture: WINDOWS Score: 100 83 www.terelprime.com 2->83 85 geoplugin.net 2->85 105 Snort IDS alert for network traffic 2->105 107 Multi AV Scanner detection for domain / URL 2->107 109 Found malware configuration 2->109 111 15 other signatures 2->111 15 wscript.exe 1 2->15         started        18 svchost.exe 1 2 2->18         started        signatures3 process4 dnsIp5 153 VBScript performs obfuscated calls to suspicious functions 15->153 155 Suspicious powershell command line found 15->155 157 Wscript starts Powershell (via cmd or directly) 15->157 161 2 other signatures 15->161 21 powershell.exe 18 15->21         started        87 147.78.103.250, 49712, 49720, 49725 CMCSUS Germany 18->87 89 127.0.0.1 unknown unknown 18->89 159 Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes) 18->159 signatures6 process7 signatures8 123 Suspicious powershell command line found 21->123 125 Very long command line found 21->125 24 powershell.exe 23 21->24         started        27 conhost.exe 21->27         started        29 cmd.exe 1 21->29         started        process9 signatures10 145 Writes to foreign memory regions 24->145 147 Powershell uses Background Intelligent Transfer Service (BITS) 24->147 149 Found suspicious powershell code related to unpacking or dynamic code loading 24->149 31 wab.exe 8 16 24->31         started        36 cmd.exe 1 24->36         started        process11 dnsIp12 93 85.209.176.69, 49721, 49722, 49723 ASDETUKhttpwwwheficedcomGB United Kingdom 31->93 95 geoplugin.net 178.237.33.50, 49724, 80 ATOM86-ASATOM86NL Netherlands 31->95 79 C:\Users\user\AppData\Roaming\pavnspt.dat, data 31->79 dropped 81 C:\Users\user\AppData\...\Markarbejders.vbs, ASCII 31->81 dropped 97 Maps a DLL or memory area into another process 31->97 99 Hides threads from debuggers 31->99 101 Installs a global keyboard hook 31->101 38 wscript.exe 1 31->38         started        41 cmd.exe 1 31->41         started        43 wab.exe 31->43         started        45 2 other processes 31->45 103 Uses cmd line tools excessively to alter registry or file data 36->103 file13 signatures14 process15 signatures16 127 Suspicious powershell command line found 38->127 129 Wscript starts Powershell (via cmd or directly) 38->129 131 Very long command line found 38->131 141 3 other signatures 38->141 47 powershell.exe 38->47         started        133 Uses cmd line tools excessively to alter registry or file data 41->133 50 reg.exe 1 1 41->50         started        52 conhost.exe 41->52         started        135 Tries to steal Instant Messenger accounts or passwords 43->135 137 Tries to steal Mail credentials (via file / registry access) 43->137 139 Tries to harvest and steal browser information (history, passwords, etc) 45->139 process17 signatures18 163 Writes to foreign memory regions 47->163 165 Powershell uses Background Intelligent Transfer Service (BITS) 47->165 54 wab.exe 47->54         started        57 conhost.exe 47->57         started        59 cmd.exe 47->59         started        61 2 other processes 47->61 167 Creates multiple autostart registry keys 50->167 process19 signatures20 143 Maps a DLL or memory area into another process 54->143 63 TapuVKeJJkdWzXsMRprugRj.exe 54->63 injected 66 cmd.exe 54->66         started        process21 signatures22 169 Maps a DLL or memory area into another process 63->169 171 Found direct / indirect Syscall (likely to bypass EDR) 63->171 68 write.exe 63->68         started        173 Uses cmd line tools excessively to alter registry or file data 66->173 71 reg.exe 66->71         started        73 conhost.exe 66->73         started        process23 signatures24 113 Tries to steal Mail credentials (via file / registry access) 68->113 115 Tries to harvest and steal browser information (history, passwords, etc) 68->115 117 Maps a DLL or memory area into another process 68->117 119 Queues an APC in another process (thread injection) 68->119 75 TapuVKeJJkdWzXsMRprugRj.exe 68->75 injected 121 Creates multiple autostart registry keys 71->121 process25 dnsIp26 91 www.terelprime.com 66.96.161.166, 49729, 80 BIZLAND-SDUS United States 75->91 151 Found direct / indirect Syscall (likely to bypass EDR) 75->151 signatures27
Score:
77%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/086fd488622c16461d2c60ca3cd42a7d5147978f1624e51a04c7ceedcaa71c6c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/086fd488622c16461d2c60ca3cd42a7d5147978f1624e51a04c7ceedcaa71c6c/
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2024-03-26 03:45:30 UTC
File Type:
Text (VBS)
AV detection:
11 of 24 (45.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bbx5jcdcfqlemhjmmdfdzvbkpviupf4pcysokgqey7ho3svhdrwa._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
11bfafb62ab5e5c115862409c849f069dc0903abf0f864783bea73472db19932
GuLoader
20c6326c049e6fb205a5feb6266b8ed8061a31fd770dc7771c61995bd701fe7b
GuLoader
4c97b96baa6e3c1ef907482abe84083c8813d45545d138ec5b9cc456f0027e1b
GuLoader
6206e88335305e4230178b9e72d7c0619cdddf1d470fad04d7a5af3cc3e76dbd
GuLoader
a769d62738c3135274416dec8a9ae7cdf15291a20bb1a20486490eb859ea6936
GuLoader
b67c5941b8a82c44ee8c876e53fc0435d8d5653491b6c61ef0ec5ee92bbfbed0
GuLoader
ba2189b9c876676d938bbac14b46f0c59e448afb443e69ada3be3b9bf0cd70d2
GuLoader
e0516ae8e938052542c7e7a89713f02c0acf64a7ae9fe210ddbcd618d995e70b
GuLoader
f27ddc5f225f50a392bfcf9cbd59557d445f5ad47f1ad31f1a899aec1ec92611
GuLoader
f29f7cf714a8eef6c8509ea9fc3d6adbedf98e14b0f142bd8bec1fb7de78639b
GuLoader
+ 149 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader persistence
Link:
https://tria.ge/reports/240326-py23jadd6w/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Blocklisted process makes network request
Guloader,Cloudeye
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/086fd488622c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/086fd488622c16461d2c60ca3cd42a7d5147978f1624e51a04c7ceedcaa71c6c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip 03341d9a4d9de7efc8928aa7fce88fa7cd157537e976b6db62b299c7b861a41d

GuLoader

Visual Basic Script (vbs) vbs 086fd488622c16461d2c60ca3cd42a7d5147978f1624e51a04c7ceedcaa71c6c

(this sample)

  
Dropped by
SHA256 03341d9a4d9de7efc8928aa7fce88fa7cd157537e976b6db62b299c7b861a41d
  
Dropped by
MD5 da30a43c86cc5e73d9dba2f388ddb579

Comments