MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 404a9d49d8522e19080af0cb183134fc058120e30fa38f5b8234eeb583c6f079. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 404a9d49d8522e19080af0cb183134fc058120e30fa38f5b8234eeb583c6f079
SHA3-384 hash: 7a90c0002138825233d6efbd0a389aecb49cce5be274a4012a01c6c773b0fb7f3c99af14da9f9e58e16d9476ad20f252
SHA1 hash: 8e22c38dc0e4f075d8e4e0eb780b309c764727c2
MD5 hash: f5a20b0c439d901a7b9d183ac04227e2
humanhash: india-table-enemy-carolina
File name:877004753788_0314131700_14181.vbe
Download: download sample
Signature GuLoader
Create hunting rule
File size:53'765 bytes
First seen:2023-11-01 06:47:09 UTC
Last seen:2023-11-01 11:22:22 UTC
File type:Visual Basic Script (vbe) vbe
MIME type:text/plain
ssdeep 768:q3V5vmiIciyssD1F6W0IXG4ju4fQUAo10JBT40TFfPXkEhC2XAi3t6AiFj0:eoTXs36TIXG4ju4fcxd9kqfXAhFj0
Threatray 966 similar samples on MalwareBazaar
TLSH T185336BA1DE990A1A0D4B37CADC421AC1C6FCC05909375125FEE953CEA24B6BC93BDF19
Reporter abuse_ch
Tags:GuLoader vbe

Intelligence

File Origin
# of uploads :
2
# of downloads :
100
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.16611.15645.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
cerberus
Link:
https://www.filescan.io/uploads/6541f4a64ebf05ac3f40a481/reports/fd767723-a897-4b77-b710-09b2101f292a/overview
Verdict:
Malicious
Labled as:
Valyria
Link:
https://www.hybrid-analysis.com/sample/404a9d49d8522e19080af0cb183134fc058120e30fa38f5b8234eeb583c6f079
Result
Verdict:
MALICIOUS
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1335314
Signature
Antivirus detection for URL or domain
Found suspicious powershell code related to unpacking or dynamic code loading
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Obfuscated command line found
Suspicious powershell command line found
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1335314 Sample: 877004753788_0314131700_14181.vbe Startdate: 01/11/2023 Architecture: WINDOWS Score: 100 23 googlehosted.l.googleusercontent.com 2->23 25 drive.google.com 2->25 27 doc-0g-bo-docs.googleusercontent.com 2->27 33 Malicious sample detected (through community Yara rule) 2->33 35 Antivirus detection for URL or domain 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 Yara detected GuLoader 2->39 9 wscript.exe 2->9         started        signatures3 process4 signatures5 41 Suspicious powershell command line found 9->41 43 Wscript starts Powershell (via cmd or directly) 9->43 45 Obfuscated command line found 9->45 47 2 other signatures 9->47 12 powershell.exe 16 9->12         started        process6 signatures7 49 Suspicious powershell command line found 12->49 51 Obfuscated command line found 12->51 53 Very long command line found 12->53 15 powershell.exe 23 12->15         started        18 conhost.exe 12->18         started        process8 signatures9 55 Writes to foreign memory regions 15->55 57 Maps a DLL or memory area into another process 15->57 59 Found suspicious powershell code related to unpacking or dynamic code loading 15->59 20 CasPol.exe 6 15->20         started        process10 dnsIp11 29 drive.google.com 142.251.167.139, 443, 49741, 49743 GOOGLEUS United States 20->29 31 googlehosted.l.googleusercontent.com 172.253.62.132, 443, 49752, 49754 GOOGLEUS United States 20->31
Score:
99%
Verdict:
Malware
File Type:
ASCII
Link:
https://malprob.io/report/404a9d49d8522e19080af0cb183134fc058120e30fa38f5b8234eeb583c6f079
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/404a9d49d8522e19080af0cb183134fc058120e30fa38f5b8234eeb583c6f079/
Threat name:
Script-WScript.Trojan.Valyria
Create hunting rule
Status:
Malicious
First seen:
2023-11-01 06:48:05 UTC
File Type:
Text (VBS)
AV detection:
9 of 38 (23.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ibfj2soykixbscak6dfrqmju7qcycihdb6ry6w4cgtxlla6g6b4q._file
Verdict:
malicious
Similar samples:
28a46a9953f0b0771ec1bf9527cd35fbefd82119f2f7349faed0e5cbec61abc4
GuLoader
45fd23b26e7f3d4a79e28bc74ea5119a893de6cd4df0996184d960a2fe4c480c
GuLoader
6f1d937b47e5910b8d3ba50bd73c3f52ff06b02325892f09f43a51069657ad0b
GuLoader
9155355baf8df04eb80c98c785632b808e63e255d92fe05572f2e5dc29ca69bc
GuLoader
9aecf5734ff36e456fd5a50650b083c1d521d36212c0a440ec6202fc00d14380
GuLoader
b91e939e8c2270f7371f16b266f738659ff6f16cf1b2cf1c66147008e3e10a8c
GuLoader
fab88e2ebbe4f3ba70e7c08cbedde59af3b9da39ca50c0b252cb547f3dbddd0d
GuLoader
+ 956 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:guloader downloader keylogger spyware stealer trojan
Link:
https://tria.ge/reports/231101-hkrw3sea32/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
AgentTesla
Guloader,Cloudeye
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/404a9d49d852/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/404a9d49d8522e19080af0cb183134fc058120e30fa38f5b8234eeb583c6f079

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cerberus
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:Cerberus

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Visual Basic Script (vbe) vbe 404a9d49d8522e19080af0cb183134fc058120e30fa38f5b8234eeb583c6f079

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments