MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 19414e87fa7d0c6264b94810039b0465efd408d65efa70f62e9a8ec5ea8f222e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 19414e87fa7d0c6264b94810039b0465efd408d65efa70f62e9a8ec5ea8f222e
SHA3-384 hash: 6b8527b8292aa5f1bfe96456b4a13059bbda44a8952e9ebd9f04dae1bf75a4d4b94172346567559978541d31961ee851
SHA1 hash: 6f5687c69e8ca873e26f1ee6b10d0ac8d1bbbb90
MD5 hash: 496ff1fed502e29c071482cb102610c9
humanhash: leopard-london-sink-music
File name:Purchase order.vbe
Download: download sample
Signature GuLoader
Create hunting rule
File size:13'845 bytes
First seen:2023-03-28 17:45:44 UTC
Last seen:Never
File type:Visual Basic Script (vbe) vbe
MIME type:text/plain
ssdeep 192:o9Al45haj3WuQYv5IdbcBoqEmeZx1zxqNklStddP93YBn/w7c0O23N/rgjKmrF:o9Z7Mvyl+NqZYNdtp30I/xmZ
Threatray 688 similar samples on MalwareBazaar
TLSH T1DB52D566EA0EC5068C0A23D999C38484F727C43A643301277FED079961065BCEB6B6FF
Reporter abuse_ch
Tags:GuLoader vbe

Intelligence

File Origin
# of uploads :
1
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28845.BadVBS.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Link:
https://www.filescan.io/uploads/642327dca6b4db3649e8fc0e/reports/059ca860-ff1c-4e8e-8674-53dacbc695f2/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/19414e87fa7d0c6264b94810039b0465efd408d65efa70f62e9a8ec5ea8f222e
Result
Verdict:
UNKNOWN
Result
Threat name:
FormBook, GuLoader, Play
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1203722
Signature
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected FormBook
Yara detected GuLoader
Yara detected Play Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 836635 Sample: Purchase_order.vbe Startdate: 28/03/2023 Architecture: WINDOWS Score: 100 42 www.thetimeandtheplace.co.uk 2->42 44 www.postehub.cloud 2->44 46 22 other IPs or domains 2->46 70 Snort IDS alert for network traffic 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 Antivirus detection for URL or domain 2->74 76 5 other signatures 2->76 12 wscript.exe 2->12         started        signatures3 process4 signatures5 86 Wscript starts Powershell (via cmd or directly) 12->86 88 Very long command line found 12->88 15 powershell.exe 16 12->15         started        process6 signatures7 92 Very long command line found 15->92 18 powershell.exe 21 15->18         started        21 conhost.exe 15->21         started        process8 signatures9 66 Writes to foreign memory regions 18->66 68 Tries to detect Any.run 18->68 23 ieinstal.exe 6 18->23         started        27 ieinstal.exe 18->27         started        process10 dnsIp11 48 googlehosted.l.googleusercontent.com 142.250.184.193, 443, 49857 GOOGLEUS United States 23->48 50 drive.google.com 142.250.186.46, 443, 49839, 49841 GOOGLEUS United States 23->50 78 Modifies the context of a thread in another process (thread injection) 23->78 80 Tries to detect Any.run 23->80 82 Maps a DLL or memory area into another process 23->82 84 2 other signatures 23->84 29 explorer.exe 7 2 23->29 injected signatures12 process13 dnsIp14 52 kaj8tfjcmkn7.xyz 216.18.208.202, 49914, 49915, 49916 WEBNXUS United States 29->52 54 egida-franchise.ru 185.215.4.31, 49902, 49903, 49904 TVHORADADAES Denmark 29->54 56 13 other IPs or domains 29->56 90 System process connects to network (likely due to code injection or exploit) 29->90 33 control.exe 1 13 29->33         started        36 ieinstal.exe 29->36         started        38 ieinstal.exe 29->38         started        signatures15 process16 signatures17 58 Tries to steal Mail credentials (via file / registry access) 33->58 60 Tries to harvest and steal browser information (history, passwords, etc) 33->60 62 Writes to foreign memory regions 33->62 64 3 other signatures 33->64 40 firefox.exe 33->40         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/19414e87fa7d0c6264b94810039b0465efd408d65efa70f62e9a8ec5ea8f222e/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dfau5b72puggezfzjaiahgyemxx5icgwl35hb5rotkhml2upeixa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0ad287dbe151a940761d048d0a6214c15970455280ef7c98c240c223bf0a7a73
GuLoader
4b01d8e4729b07277f8f71037f9fbda1f8d817d9688850d941e7832727bb0276
GuLoader
95eea6606746af642726f423f651e78b52dc8652033b9ca6439a95248df0fde2
GuLoader
b15e539ba1801af269c976fa743708a0fc474fcdf6ba3a7433a08dfbf9eb1425
GuLoader
b1ce73dac896a841321b1f502bcc32313de930cd0e5561874e51e80dc7cb06cc
GuLoader
bec4ef3573fb041d4a688c353f4682186f2bfe3918e9add4b9c5ceda5ec2627c
GuLoader
cd5a3db769491e5e9b19fe8f2703456f82dbd128babacf54ac1c494587665f72
GuLoader
f51bdb3c0026435904048abffb411be8b57143de59d0e66a3e2dfa3f2e5692ad
GuLoader
fb4c3c803b69b2823f0bb584ef77da38f17eaf18184058249b6dd7664234cb53
GuLoader
ff3949d2a8e0d6b08d2b8b643cdfc6a26f44352da217b4a537e9c16d96ed7198
GuLoader
+ 678 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader persistence spyware stealer
Link:
https://tria.ge/reports/230328-wcb3jscc89/
Behaviour
Gathers network information
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Adds policy Run key to start application
Blocklisted process makes network request
Guloader,Cloudeye
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/19414e87fa7d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/19414e87fa7d0c6264b94810039b0465efd408d65efa70f62e9a8ec5ea8f222e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Visual Basic Script (vbe) vbe 19414e87fa7d0c6264b94810039b0465efd408d65efa70f62e9a8ec5ea8f222e

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments