MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2954a47a08fc2a79ab0644550c68c380b67ace8d62c0c58933b756e4a541d91d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2954a47a08fc2a79ab0644550c68c380b67ace8d62c0c58933b756e4a541d91d
SHA3-384 hash: 2abb8ba005135ce1aa29f47f7f8b17f3c207cb4e7792928925d7adae55c747e6bff9b39d2f12486e871f5206f632f40e
SHA1 hash: a98b8864d54db6454702537d0063b54dd9357e1d
MD5 hash: 5cab4ee0a9ac0db0ea9c027d4e677105
humanhash: alpha-nine-idaho-black
File name:Conferma di pagamento 14-11-2022.vbs
Download: download sample
Signature GuLoader
Create hunting rule
File size:239'269 bytes
First seen:2022-11-14 12:55:27 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 6144:rdvMHwyVBC5Ej50gMTLnI6SxDWbNl3KbXj1h0:hEHVTp56nztb/4zz0
Threatray 18'595 similar samples on MalwareBazaar
TLSH T18F34C36D4706C9A4F7DC307C8C459A8B9D48850E8EB40C8BB67077B0AE95E4C76D1FEA
Reporter JAMESWT_WT
Tags:GuLoader vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
119
Origin country :
IT IT
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/333725/
Detection(s):
SecuriteInfo.com.VBS.Obfus-184.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.VBS.Obfus-185.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm
Link:
https://www.filescan.io/uploads/63723ae407c3f5e84a011093/reports/52669093-1be1-47e7-b59e-fe93054ead23/overview
Result
Verdict:
UNKNOWN
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1112860
Signature
Machine Learning detection for dropped file
Obfuscated command line found
Potential malicious VBS script found (suspicious strings)
Sigma detected: Dot net compiler compiles file from suspicious location
Tries to detect Any.run
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Wscript starts Powershell (via cmd or directly)
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 745556 Sample: Conferma di pagamento 14-11... Startdate: 14/11/2022 Architecture: WINDOWS Score: 88 36 Yara detected GuLoader 2->36 38 Sigma detected: Dot net compiler compiles file from suspicious location 2->38 40 Potential malicious VBS script found (suspicious strings) 2->40 42 Machine Learning detection for dropped file 2->42 8 wscript.exe 1 1 2->8         started        process3 signatures4 46 VBScript performs obfuscated calls to suspicious functions 8->46 48 Wscript starts Powershell (via cmd or directly) 8->48 50 Obfuscated command line found 8->50 52 Very long command line found 8->52 11 powershell.exe 21 8->11         started        15 cmd.exe 1 8->15         started        process5 file6 32 C:\Users\user\AppData\...\hdk3dvya.cmdline, Unicode 11->32 dropped 54 Tries to detect Any.run 11->54 17 CasPol.exe 13 11->17         started        21 csc.exe 3 11->21         started        24 conhost.exe 11->24         started        26 conhost.exe 15->26         started        signatures7 process8 dnsIp9 34 stpindo.co.id 153.92.8.115, 49696, 49697, 49698 AS-HOSTINGERLT Germany 17->34 44 Tries to detect Any.run 17->44 30 C:\Users\user\AppData\Local\...\hdk3dvya.dll, PE32 21->30 dropped 28 cvtres.exe 1 21->28         started        file10 signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2954a47a08fc2a79ab0644550c68c380b67ace8d62c0c58933b756e4a541d91d/
Threat name:
Script-WScript.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-11-14 12:56:07 UTC
File Type:
Text (VBS)
AV detection:
12 of 25 (48.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ffkki6qi7qvhtkygirkqy2gdqc3hvtunmlamlcjtw5lojjkb3eoq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
2eafbf195ee3064026099a6f5f6c78aaaae170c9fb81a5f49f501bf0f061cfd4
GuLoader
678f361d622c482253df9b834e978f8f3ca254fc5549381817dc75431005a047
GuLoader
75b6589abb41cfee6bd7a5bf66237e679d7f7a2039bb244d02c9faf1d68fb39f
GuLoader
7b2bcaa3723a8198c9a6f0878b77c7887554079e77e5c9b8f444570be1d744f6
GuLoader
8f6e203a52757cdb71ffbf15b696f0518f17862579863e139af08fafe1e1feb6
GuLoader
948eced5fa27e7fc39b404778a20a98d2614158f4f54f1d151de933066045b10
GuLoader
c34fbe5bb7db1716d8933f17bfa914066508430c5b89c040aeccca2df4d788c7
GuLoader
e49d8e1e806d3ce84d2f58c6b4e048e69816bfb199a6b427fd207a59fa2e93fb
GuLoader
fae3f9e1c610097417ce7aa81207f2fea0538a5688c8e2ddf3b3b50172a7fe43
GuLoader
+ 18'585 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/221114-p6b63sbf67/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks QEMU agent file
Checks computer location settings
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2954a47a08fc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2954a47a08fc2a79ab0644550c68c380b67ace8d62c0c58933b756e4a541d91d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:Guloader_VBScript
Create hunting rule
Author:Ankit Anubhav - ankitanubhav.info
Description:Detects GuLoader/CloudEye VBScripts

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/333725/

Comments