MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ceab92f90ff80d411d1749601290d25e0f22ee2ee47fe7d3933c6377ab9edd5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ceab92f90ff80d411d1749601290d25e0f22ee2ee47fe7d3933c6377ab9edd5
SHA3-384 hash: 7e3b3904f1f1df7e47bd3c9d69706398ccbe9f529ccb0510d802542c51cd5e64767fd82464b68ca4b934a047f63389c2
SHA1 hash: 9e1d81d4fe3638c6f78c6cf9c045b19e4359efb8
MD5 hash: 846be25fe6dd9e8a8ceb9b07ce450e1d
humanhash: johnny-carpet-white-ack
File name:doc_order_sheet_sn8577THC_13122023_pdf_0000000.vbs
Download: download sample
Signature GuLoader
Create hunting rule
File size:90'898 bytes
First seen:2023-12-14 07:19:56 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 1536:D5DRWIZA4ReqoJXN4v8K24hKGLx6Y0230zuEsU:D5Lm4ReqiXGv8KPLx6Y02EzuEsU
TLSH T129936CE1EF94155A0C4F3BEAED406881C5BDC12A5936016AFEDD078E520B89C97BFB0D
Reporter abuse_ch
Tags:GuLoader vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
112
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/467385/
Detection(s):
SecuriteInfo.com.Script.SNH-gen.19132.22174.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm masquerade
Link:
https://www.filescan.io/uploads/657aacaceba10803148ab487/reports/52cb6901-84e7-46cd-a840-81dd0b8b8452/overview
Verdict:
Malicious
Labled as:
Trojan.GenericFCA.Agent
Link:
https://www.hybrid-analysis.com/sample/2ceab92f90ff80d411d1749601290d25e0f22ee2ee47fe7d3933c6377ab9edd5
Result
Verdict:
MALICIOUS
Result
Threat name:
GuLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1361956
Signature
Antivirus detection for URL or domain
Contains functionality to modify clipboard data
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Potential malicious VBS script found (suspicious strings)
Powershell uses Background Intelligent Transfer Service (BITS)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected GuLoader
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1361956 Sample: doc_order_sheet_sn8577THC_1... Startdate: 14/12/2023 Architecture: WINDOWS Score: 100 45 ytgz5.sa.com 2->45 47 geoplugin.net 2->47 67 Snort IDS alert for network traffic 2->67 69 Multi AV Scanner detection for domain / URL 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 8 other signatures 2->73 10 wscript.exe 1 2->10         started        13 svchost.exe 1 1 2->13         started        signatures3 process4 dnsIp5 83 VBScript performs obfuscated calls to suspicious functions 10->83 85 Suspicious powershell command line found 10->85 87 Wscript starts Powershell (via cmd or directly) 10->87 89 3 other signatures 10->89 17 powershell.exe 14 10->17         started        53 ytgz5.sa.com 103.83.194.50, 49732, 49738, 80 NETWORK-LEAPSWITCH-INLeapSwitchNetworksPvtLtdIN United States 13->53 55 127.0.0.1 unknown unknown 13->55 43 C:\ProgramData\Microsoft43etwork\...\qmgr.jfm, COM 13->43 dropped file6 signatures7 process8 signatures9 57 Suspicious powershell command line found 17->57 59 Very long command line found 17->59 20 powershell.exe 23 17->20         started        23 conhost.exe 17->23         started        25 cmd.exe 1 17->25         started        process10 signatures11 75 Writes to foreign memory regions 20->75 77 Powershell uses Background Intelligent Transfer Service (BITS) 20->77 79 Maps a DLL or memory area into another process 20->79 81 2 other signatures 20->81 27 wab.exe 6 14 20->27         started        32 cmd.exe 1 20->32         started        process12 dnsIp13 49 85.209.176.69, 49739, 49740, 49741 ASDETUKhttpwwwheficedcomGB United Kingdom 27->49 51 geoplugin.net 178.237.33.50, 49743, 80 ATOM86-ASATOM86NL Netherlands 27->51 41 C:\Users\user\AppData\Roaming\vorspt.dat, data 27->41 dropped 91 Tries to harvest and steal browser information (history, passwords, etc) 27->91 93 Maps a DLL or memory area into another process 27->93 95 Hides threads from debuggers 27->95 97 Installs a global keyboard hook 27->97 34 wab.exe 1 27->34         started        37 wab.exe 1 27->37         started        39 wab.exe 2 27->39         started        file14 signatures15 process16 signatures17 61 Tries to steal Instant Messenger accounts or passwords 34->61 63 Tries to steal Mail credentials (via file / registry access) 34->63 65 Tries to harvest and steal browser information (history, passwords, etc) 37->65
Score:
100%
Verdict:
Malware
File Type:
ASCII
Link:
https://malprob.io/report/2ceab92f90ff80d411d1749601290d25e0f22ee2ee47fe7d3933c6377ab9edd5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2ceab92f90ff80d411d1749601290d25e0f22ee2ee47fe7d3933c6377ab9edd5/
Threat name:
Script-WScript.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2023-12-13 18:19:23 UTC
File Type:
Text (VBS)
AV detection:
13 of 37 (35.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ftvlsl4q76anieoroslackinexqpelxc5zd747jzgpddo6vz5xkq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
cloudeye
Create hunting rule
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader persistence
Link:
https://tria.ge/reports/231214-h54rdaddg7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Guloader,Cloudeye
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2ceab92f90ff/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/2ceab92f90ff80d411d1749601290d25e0f22ee2ee47fe7d3933c6377ab9edd5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Visual Basic Script (vbs) vbs 2ceab92f90ff80d411d1749601290d25e0f22ee2ee47fe7d3933c6377ab9edd5

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/467385/

Comments