MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4156fb871571c268e88901fb258cb031be24c7771bf63f137ac33ccd688969f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4156fb871571c268e88901fb258cb031be24c7771bf63f137ac33ccd688969f7
SHA3-384 hash: 06b00ed1c2b020414f0c463e889b28ec6030a526da3442d5eb13152d38d94dc3eccd748987853c1d143fbc1471fb3b19
SHA1 hash: 1801c1bf16294dd5dd179f0a1604a0b0b7eb65ca
MD5 hash: 922a302070e9f98b52be96d9feea6edb
humanhash: orange-princess-venus-earth
File name:Payment_Advice_PHHSBC3J02663515-T01.vbe
Download: download sample
Signature GuLoader
Create hunting rule
File size:37'016 bytes
First seen:2023-10-03 06:14:15 UTC
Last seen:Never
File type:Visual Basic Script (vbe) vbe
MIME type:text/plain
ssdeep 768:9zccYggDW9qQAOjmWO6uwCArm3CLN/svoLOjF2ErKaXHKkdEqEZXy:9qgg6oPArm3UNsvb4Ha4C
Threatray 5'811 similar samples on MalwareBazaar
TLSH T16DF26CA4D9991F2A488F26F7DC4248D2493D82695923002ABEDD138ED31F94CD3BEF5D
Reporter abuse_ch
Tags:GuLoader vbe

Intelligence

File Origin
# of uploads :
1
# of downloads :
104
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.HEUR.Trojan.VBS.SAgent.gen.5752.13269.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/651bb1699b16696e9f8d8df2/reports/84c823f8-e6c2-4d02-a583-df92892b99a3/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/4156fb871571c268e88901fb258cb031be24c7771bf63f137ac33ccd688969f7
Result
Verdict:
MALICIOUS
Result
Threat name:
AgentTesla, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1318474
Signature
Found suspicious powershell code related to unpacking or dynamic code loading
Maps a DLL or memory area into another process
May check the online IP address of the machine
Obfuscated command line found
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Suspicious powershell command line found
Tries to detect Any.run
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1318474 Sample: Payment_Advice_PHHSBC3J0266... Startdate: 03/10/2023 Architecture: WINDOWS Score: 100 24 drive.google.com 2->24 32 Yara detected GuLoader 2->32 34 Yara detected AgentTesla 2->34 9 wscript.exe 2->9         started        signatures3 process4 signatures5 44 Suspicious powershell command line found 9->44 46 Wscript starts Powershell (via cmd or directly) 9->46 48 Obfuscated command line found 9->48 50 2 other signatures 9->50 12 powershell.exe 16 9->12         started        process6 signatures7 52 Suspicious powershell command line found 12->52 54 Obfuscated command line found 12->54 56 Very long command line found 12->56 15 powershell.exe 23 12->15         started        18 conhost.exe 12->18         started        process8 signatures9 58 Writes to foreign memory regions 15->58 60 Tries to detect Any.run 15->60 62 Maps a DLL or memory area into another process 15->62 64 Found suspicious powershell code related to unpacking or dynamic code loading 15->64 20 CasPol.exe 15 10 15->20         started        process10 dnsIp11 26 api4.ipify.org 173.231.16.77, 443, 49840 WEBNXUS United States 20->26 28 googlehosted.l.googleusercontent.com 142.250.31.132, 443, 49790, 49796 GOOGLEUS United States 20->28 30 7 other IPs or domains 20->30 36 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 20->36 38 May check the online IP address of the machine 20->38 40 Tries to steal Mail credentials (via file / registry access) 20->40 42 2 other signatures 20->42 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4156fb871571c268e88901fb258cb031be24c7771bf63f137ac33ccd688969f7/
Threat name:
Script-WScript.Trojan.Guloader
Create hunting rule
Status:
Suspicious
First seen:
2023-10-03 06:15:06 UTC
File Type:
Text (VBS)
AV detection:
7 of 23 (30.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iflpxbyvohbgr2ejah5sldfqgg7cjr3xdp3d6e32ym6m22ejnh3q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
cloudeye
Create hunting rule
Similar samples:
445e78195ac6fda213fe26c8263f5362d0f3f61ff4d5f11e9c1293298a1b422f
GuLoader
51750c80c00e61d2d5017c6b82a935000ac8ba5d38b7bc37b4ed98f193785148
GuLoader
59b1624b294226b93b186dc503efd7c48937542eec03b0d32d27034729c2a733
GuLoader
5ad0285de999973d1a665bcfe5d7040494f64c113d8ef8664d3bda3ae66b8d67
GuLoader
83cfc425e31898223c5cfb0fbb28fb89e6ba02386a5719170869ae974b479f2b
GuLoader
8bfbe6c64b3e9bb5ea1eef4bd87874cf7c9521eb55aeb5c0becee6c06ebd5d69
GuLoader
c6a0026a78d283724646d2cd5db9fa459a0bd306e19e50c6c23826603b6438df
GuLoader
+ 5'801 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/231003-gzw9nsgf4v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks QEMU agent file
Checks computer location settings
Guloader,Cloudeye
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/4156fb871571c268e88901fb258cb031be24c7771bf63f137ac33ccd688969f7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Visual Basic Script (vbe) vbe 4156fb871571c268e88901fb258cb031be24c7771bf63f137ac33ccd688969f7

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments