MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 354529cf4cd5498c64a0c69c6dd9eb8962250542eea7f89a76faf64f5086da35. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 354529cf4cd5498c64a0c69c6dd9eb8962250542eea7f89a76faf64f5086da35
SHA3-384 hash: 61e9ea90da09026cc61ba5fa90d86b90e07c3a3214ca5703cb47daf54d19e6de360c0a00ea9bf852856ebd86d637fa9d
SHA1 hash: 7aad4e8d8f521d1c36a7468418047c8a5751b7e9
MD5 hash: 2eb1625e8d4e3f9b19ab947d188d0be8
humanhash: skylark-fix-comet-aspen
File name:Wire-84844663637346665.PDF.vbs
Download: download sample
Signature GuLoader
Create hunting rule
File size:77'283 bytes
First seen:2022-01-21 14:23:33 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 1536:8oJdxFRnX6gFcc31kSoIV+XAyZprwkGtz93tVTUzlvdl1UngqcFqg5TMs1rWO/Ih:5znFvXyjta0nvK
Threatray 14'000 similar samples on MalwareBazaar
TLSH T1A27384A86C1714CD1A94E74FECC146CD53CF0399CFEE4A02A5E9948D1B751E88EEDC8A
Reporter abuse_ch
Tags:GuLoader vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
326
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/221480/
Detection(s):
SecuriteInfo.com.Trojan-Downloader.VBS.SLoad.gen.1422.27924.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Result
Threat name:
FormBook GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/925353
Signature
C2 URLs / IPs found in malware configuration
Detected FormBook malware
Encrypted powershell cmdline option found
Found malware configuration
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Potential evasive VBS script found (sleep loop)
Potential malicious VBS script found (has network functionality)
Potential malicious VBS script found (suspicious strings)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Wscript starts Powershell (via cmd or directly)
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 557834 Sample: Wire-84844663637346665.PDF.vbs Startdate: 21/01/2022 Architecture: WINDOWS Score: 100 54 canonicalizer.ucsuri.tcs 2->54 70 Found malware configuration 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 Multi AV Scanner detection for submitted file 2->74 76 9 other signatures 2->76 12 wscript.exe 2 2->12         started        15 smartscreen.exe 2->15         started        signatures3 process4 signatures5 88 VBScript performs obfuscated calls to suspicious functions 12->88 90 Wscript starts Powershell (via cmd or directly) 12->90 92 Very long command line found 12->92 94 Encrypted powershell cmdline option found 12->94 17 powershell.exe 25 12->17         started        process6 signatures7 58 Tries to detect Any.run 17->58 60 Hides threads from debuggers 17->60 20 ieinstal.exe 6 17->20         started        24 csc.exe 3 17->24         started        27 conhost.exe 17->27         started        process8 dnsIp9 56 research.the-miyanichi.co.jp 133.242.141.149, 443, 49841 SAKURA-ASAKURAInternetIncJP Japan 20->56 78 Modifies the context of a thread in another process (thread injection) 20->78 80 Tries to detect Any.run 20->80 82 Maps a DLL or memory area into another process 20->82 84 3 other signatures 20->84 29 explorer.exe 3 20->29 injected 52 C:\Users\user\AppData\Local\...\lmt3yvf4.dll, PE32 24->52 dropped 31 cvtres.exe 1 24->31         started        file10 signatures11 process12 process13 33 help.exe 1 18 29->33         started        37 ieinstal.exe 29->37         started        39 ieinstal.exe 29->39         started        file14 48 C:\Users\user\AppData\...486Alogrv.ini, data 33->48 dropped 50 C:\Users\user\AppData\...506Alogri.ini, data 33->50 dropped 62 Detected FormBook malware 33->62 64 Tries to steal Mail credentials (via file / registry access) 33->64 66 Tries to harvest and steal browser information (history, passwords, etc) 33->66 68 3 other signatures 33->68 41 cmd.exe 2 33->41         started        44 explorer.exe 127 33->44         started        signatures15 process16 signatures17 86 Tries to harvest and steal browser information (history, passwords, etc) 41->86 46 conhost.exe 41->46         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/354529cf4cd5498c64a0c69c6dd9eb8962250542eea7f89a76faf64f5086da35/
Threat name:
Script-WScript.Downloader.SLoad
Create hunting rule
Status:
Malicious
First seen:
2022-01-21 14:24:11 UTC
File Type:
Text (VBS)
AV detection:
5 of 43 (11.63%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gvcstt2m2veyyzfay2og3wplrfrckbkc52t7rgtw7l3e6ueg3i2q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0523a910917e35ea987363881f619e7ffd9de72bdb2b24a1b109581b8273631f
GuLoader
10aa7088156f972d7f44c8183c9b26c4ca290e5e1b92b59585a91b9946fb73e2
GuLoader
23c021ec87c8743ef23796c3bfe371298388b4ef72fc6249b29858dc50ece722
GuLoader
28323d3c8fd1339a7d4f0ebad6ff377545e88c15fdca9b2f21cdd7c72c07622e
GuLoader
2ed8aeaf73ee1a3caf7eb0be7814868c4100efbe1b021e2d964db3b638dc7f3c
GuLoader
6403d40c99b5036c9410e11c11872bdceb1955da70a17bdb979cac381d09cc74
GuLoader
8426bc09e01e893337a5b15b947e6f176c1eb937768c70cd4c0526b0b710523a
GuLoader
8e7173102d77a6ed527fc3e783be4aa446e757f4417d3fa1f60f3e9cd0cff4f9
GuLoader
c26350de480859838a7d758ce891d049c78844695c6f7e33f9ea2fecc4b4a4a9
GuLoader
f0427effe53373b51d8b98f19d87a1e39cbcc49201d307526b5ced3406fed4e0
GuLoader
+ 13'990 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:guloader campaign:ty13 downloader persistence rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220121-rqp44saadl/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks QEMU agent file
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
Formbook
Guloader,Cloudeye
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/354529cf4cd5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/354529cf4cd5498c64a0c69c6dd9eb8962250542eea7f89a76faf64f5086da35

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/221480/

Comments