MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1de623c954d1ff0415969724740aa5809b0745c0d07da5d1549a54816745b751. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1de623c954d1ff0415969724740aa5809b0745c0d07da5d1549a54816745b751
SHA3-384 hash: 6a6093d956e37b3002bcae869e48ec0616ebb6fc9416aa435b200edf9d778fc7f78a6b444394ccf3b6bfca74c9470951
SHA1 hash: 6ca96296c40777665e33e646d5fea608dfe404e5
MD5 hash: d73b4775abeed46e879675ddd0d311d2
humanhash: kansas-johnny-saturn-three
File name:IE_Networks.hta
Download: download sample
Signature GuLoader
Create hunting rule
File size:9'250 bytes
First seen:2023-07-27 11:58:32 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 48:3ABMn6W79Whlu1B7fuuuSuuuNjuuMuu7ueuuuuBuu7ueuOuuBuu7ueuGuuRuu7u8:Qydeg7/9z3HMHzQYNU2R87a/Kvy+
TLSH T18812667DAB26AA80E3F7B1FC0048370711D5CA3B5A54DC06BC881927EA3867F5E3815D
Reporter JAMESWT_WT
Tags:192-3-243-146 GuLoader hta

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.VB.Trojan.Valyria.8349.9500.415.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.VBS.Obfuscated-IO.27303.9834.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/1de623c954d1ff0415969724740aa5809b0745c0d07da5d1549a54816745b751/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/64c25c072a568ab215b8da81/reports/003f3f65-d1d6-4d37-b37e-d8cbdad50651/overview
Verdict:
Malicious
Labled as:
Valyria
Link:
https://www.hybrid-analysis.com/sample/1de623c954d1ff0415969724740aa5809b0745c0d07da5d1549a54816745b751
Result
Verdict:
MALICIOUS
Details
Hidden Powershell
Detected a pivot to Powershell that utilizes commonly nefarious attributes such as '-windowstyle hidden'.
Result
Threat name:
FormBook, GuLoader
Create hunting rule
Detection:
malicious
Classification:
evad.troj.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1281113
Signature
Antivirus detection for URL or domain
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PowerShell case anomaly found
Powershell drops PE file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes to foreign memory regions
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1281113 Sample: IE_Networks.hta Startdate: 27/07/2023 Architecture: WINDOWS Score: 100 50 www.zealously-snatch.shop 2->50 52 www.xn--ciqpnj85djnvt4n.com 2->52 54 19 other IPs or domains 2->54 80 Snort IDS alert for network traffic 2->80 82 Malicious sample detected (through community Yara rule) 2->82 84 Antivirus detection for URL or domain 2->84 86 4 other signatures 2->86 13 mshta.exe 19 2->13         started        signatures3 process4 signatures5 102 Very long command line found 13->102 104 Encrypted powershell cmdline option found 13->104 106 PowerShell case anomaly found 13->106 16 powershell.exe 7 13->16         started        process6 signatures7 66 Very long command line found 16->66 68 Encrypted powershell cmdline option found 16->68 70 Powershell drops PE file 16->70 19 powershell.exe 15 17 16->19         started        23 conhost.exe 16->23         started        25 backgroundTaskHost.exe 16->25         started        process8 dnsIp9 56 103.16.215.196, 50011, 80 TDLH-AS-APTHOMASDURYEALOGICALISHOLDINGSPTYLTDAU unknown 19->56 46 C:\Users\user\AppData\...\IBM_Linixe.exe, PE32 19->46 dropped 27 IBM_Linixe.exe 1 28 19->27         started        file10 process11 file12 48 C:\Users\user\AppData\Local\...\System.dll, PE32 27->48 dropped 98 Multi AV Scanner detection for dropped file 27->98 100 Tries to detect Any.run 27->100 31 IBM_Linixe.exe 6 27->31         started        signatures13 process14 dnsIp15 64 gfemaroc.com 174.142.95.85, 443, 50013 IWEB-ASCA Canada 31->64 72 Modifies the context of a thread in another process (thread injection) 31->72 74 Tries to detect Any.run 31->74 76 Maps a DLL or memory area into another process 31->76 78 2 other signatures 31->78 35 RAVCpl64.exe 31->35 injected signatures16 process17 process18 37 help.exe 13 35->37         started        signatures19 88 Tries to steal Mail credentials (via file / registry access) 37->88 90 Tries to harvest and steal browser information (history, passwords, etc) 37->90 92 Writes to foreign memory regions 37->92 94 3 other signatures 37->94 40 explorer.exe 2 1 37->40 injected 44 firefox.exe 37->44         started        process20 dnsIp21 58 www.fumart.info 203.161.55.148, 50025, 50026, 50027 VNPT-AS-VNVNPTCorpVN Malaysia 40->58 60 www.baltools.com 216.40.34.41, 50051, 50052, 50053 TUCOWSCA Canada 40->60 62 13 other IPs or domains 40->62 96 System process connects to network (likely due to code injection or exploit) 40->96 signatures22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1de623c954d1ff0415969724740aa5809b0745c0d07da5d1549a54816745b751/
Threat name:
Win32.Trojan.Valyria
Create hunting rule
Status:
Malicious
First seen:
2023-07-25 19:43:59 UTC
File Type:
Text (HTML)
Extracted files:
1
AV detection:
6 of 38 (15.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dxtchsku2h7qifmws4shicvfqcnqoroa2b62lukutjkicz2fw5iq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/230727-n5qgmsfa4w/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1de623c954d1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1de623c954d1ff0415969724740aa5809b0745c0d07da5d1549a54816745b751

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ClamAV_Emotet_String_Aggregate
Create hunting rule
Rule name:QbotStuff
Create hunting rule
Author:anonymous

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments