MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 293e46a6a6b995b7a2528d658b56cb957a4a77e011909261bfa6cc5838723b71. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 293e46a6a6b995b7a2528d658b56cb957a4a77e011909261bfa6cc5838723b71
SHA3-384 hash: 470306622d4fc826bbad38cb82dcd1faa93841fbce5e6b6a6ffed35f0c6284669a5ad6f804a87ccd10e07e69268cd6bc
SHA1 hash: 09da20def7b26159f6c8fc517d4e73c33361e477
MD5 hash: b39d09542c4f03e9b36676d2a36a08e8
humanhash: skylark-nine-stream-mississippi
File name:Order S9008_72_001 PDF.vbs
Download: download sample
Signature GuLoader
Create hunting rule
File size:245'247 bytes
First seen:2022-11-14 13:05:53 UTC
Last seen:2022-11-14 14:08:43 UTC
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 3072:13blkLVbd/m8tg0HbR9ZvdZ6J3iMfek0xymQmx2cXyXGejQizuWEuvvu4hKJ6:b21hmglbRxZ6JhcxMmx2Iegp4Gcv
TLSH T13334AF79CEC3C9AC3F5C74A994F50A5D890CCF53E6200A0BB5715681BF91B9C26A81FB
Reporter abuse_ch
Tags:GuLoader vbs

Intelligence

File Origin
# of uploads :
2
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/333752/
Detection(s):
SecuriteInfo.com.VBS.Obfus-184.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.VBS.Obfus-185.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/63723d438d07bb59f81af753/reports/e3e44ce7-50b7-4696-8a77-a9c422ed92be/overview
Result
Verdict:
UNKNOWN
Result
Threat name:
AgentTesla, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1112883
Signature
Malicious sample detected (through community Yara rule)
Obfuscated command line found
Potential malicious VBS script found (suspicious strings)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Dot net compiler compiles file from suspicious location
Snort IDS alert for network traffic
Tries to detect Any.run
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 745579 Sample: Order S9008_72_001 PDF.vbs Startdate: 14/11/2022 Architecture: WINDOWS Score: 100 35 ftp.lansol.com 2->35 39 Snort IDS alert for network traffic 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Yara detected GuLoader 2->43 45 3 other signatures 2->45 9 wscript.exe 1 1 2->9         started        signatures3 process4 signatures5 53 VBScript performs obfuscated calls to suspicious functions 9->53 55 Wscript starts Powershell (via cmd or directly) 9->55 57 Obfuscated command line found 9->57 59 Very long command line found 9->59 12 powershell.exe 23 9->12         started        16 cmd.exe 1 9->16         started        process6 file7 33 C:\Users\user\AppData\...\2upn2f0l.cmdline, Unicode 12->33 dropped 61 Writes to foreign memory regions 12->61 63 Tries to detect Any.run 12->63 18 CasPol.exe 11 12->18         started        22 csc.exe 3 12->22         started        25 conhost.exe 12->25         started        27 conhost.exe 16->27         started        signatures8 process9 dnsIp10 37 desazonh.tk 27.100.36.173, 49700, 80 HOSTUS-GLOBAL-ASHostUSHK United States 18->37 47 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->47 49 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 18->49 51 Tries to detect Any.run 18->51 31 C:\Users\user\AppData\Local\...\2upn2f0l.dll, PE32 22->31 dropped 29 cvtres.exe 1 22->29         started        file11 signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/293e46a6a6b995b7a2528d658b56cb957a4a77e011909261bfa6cc5838723b71/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fe7enjvgxgk3pissrvsywvwlsv5eu57acgijeyn7u3gfqodshnyq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/221114-qb5qksbg28/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks QEMU agent file
Checks computer location settings
AgentTesla
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/293e46a6a6b9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/293e46a6a6b995b7a2528d658b56cb957a4a77e011909261bfa6cc5838723b71

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:Guloader_VBScript
Create hunting rule
Author:Ankit Anubhav - ankitanubhav.info
Description:Detects GuLoader/CloudEye VBScripts

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/333752/

Comments