MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a09519fee9d622a6c619b8195d512bcbf6c96233cd1c5e581a191dc011c3f04. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0a09519fee9d622a6c619b8195d512bcbf6c96233cd1c5e581a191dc011c3f04
SHA3-384 hash: 2f048e4e1b00ee1559fa33ec80ae0d68a94171da84f729ecf7c6ee8dcd6aca9e2f964eead7068ed89a66f261e33a9c8b
SHA1 hash: fc2a0670da357149e745457805156f3f64ddc7a4
MD5 hash: 174dfb9325503c0862e20d08a5aa2729
humanhash: winner-wolfram-papa-football
File name:BLimageNewInquiryCIPL.vbs
Download: download sample
Signature GuLoader
Create hunting rule
File size:867'990 bytes
First seen:2022-03-07 09:40:41 UTC
Last seen:2022-03-07 14:10:38 UTC
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 3072:NQ99Uysev3+v0l7+j3sZO5RPQUyOHrsfAhRa:NQ99Uysa3+v0ti3skQjOuAh8
TLSH T19C052E3BA507BD681BF45C03A4E7DFABB1A4620428BDE4CE01534696C63FB165E0A73D
Reporter abuse_ch
Tags:GuLoader vbs

Intelligence

File Origin
# of uploads :
2
# of downloads :
262
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/247838/
Detection(s):
Sanesecurity.Malware.25834.JsHeur.UNOFFICIAL
Create hunting rule

Porcupine.Malware.36555.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/951681
Signature
Encrypted powershell cmdline option found
Hides threads from debuggers
Potential malicious VBS script found (has network functionality)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 584158 Sample: BLimageNewInquiryCIPL.vbs Startdate: 07/03/2022 Architecture: WINDOWS Score: 76 33 store-images.s-microsoft.com 2->33 35 Potential malicious VBS script found (has network functionality) 2->35 37 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->37 9 wscript.exe 2 2->9         started        signatures3 process4 file5 31 C:\Users\user\AppData\Local\Temp\Bilat.dat, data 9->31 dropped 39 VBScript performs obfuscated calls to suspicious functions 9->39 41 Wscript starts Powershell (via cmd or directly) 9->41 43 Very long command line found 9->43 45 Encrypted powershell cmdline option found 9->45 13 powershell.exe 25 9->13         started        16 cmd.exe 1 9->16         started        signatures6 process7 signatures8 47 Tries to detect Any.run 13->47 49 Hides threads from debuggers 13->49 18 csc.exe 3 13->18         started        21 conhost.exe 13->21         started        23 conhost.exe 16->23         started        25 attrib.exe 1 16->25         started        process9 file10 29 C:\Users\user\AppData\Local\...\mctym2ud.dll, PE32 18->29 dropped 27 cvtres.exe 1 18->27         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0a09519fee9d622a6c619b8195d512bcbf6c96233cd1c5e581a191dc011c3f04/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bievdh7otvrcu3dbtoazlvisxs7wzfrdhti4lzmbugi5yai4h4ca._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
cloudeye
Create hunting rule
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader persistence
Link:
https://tria.ge/reports/220307-lpxvnsffeq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks QEMU agent file
Checks computer location settings
Guloader,Cloudeye
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/0a09519fee9d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0a09519fee9d622a6c619b8195d512bcbf6c96233cd1c5e581a191dc011c3f04

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Visual Basic Script (vbs) vbs 0a09519fee9d622a6c619b8195d512bcbf6c96233cd1c5e581a191dc011c3f04

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/247838/

Comments