MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49b109625db665c82ae907c02b184a90b4388caa1f1ddd2800b944a3bcf9805b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 49b109625db665c82ae907c02b184a90b4388caa1f1ddd2800b944a3bcf9805b
SHA3-384 hash: d26d024256fec8b9f429e76da3a013521e0a53ea4c252e7348f56c83fc57c550f6d79816c6cbc67ed7977ac98f3153c1
SHA1 hash: aa9b92b4b2df3c5afbce1516061e458d22f25ead
MD5 hash: a6a043039b992470c518beb37316b6fb
humanhash: stream-victor-high-saturn
File name:Arrival_Notice_Maersk-shipping_83778889__.jpg.vbs
Download: download sample
Signature GuLoader
Create hunting rule
File size:31'627 bytes
First seen:2023-05-22 13:38:02 UTC
Last seen:2023-05-22 13:49:05 UTC
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 768:i8HJvKI41yARlsxM3elBQVgIapmgJeLB/r:i7PPVspmgJ2/r
Threatray 1'560 similar samples on MalwareBazaar
TLSH T13BE21A71E69D361948CB3BEADC400C60C4BA4D150933156BBE8913AE7787B4C977FA2B
Reporter abuse_ch
Tags:GuLoader Maersk vbs

Intelligence

File Origin
# of uploads :
2
# of downloads :
139
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.1306.21875.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/646b707794868b4175712a86/reports/5edaf6cd-a2e3-4fb7-89f9-782f686cfdff/overview
Verdict:
Suspicious
Labled as:
Trojan.VBS.SAgent
Link:
https://www.hybrid-analysis.com/sample/49b109625db665c82ae907c02b184a90b4388caa1f1ddd2800b944a3bcf9805b
Result
Verdict:
UNKNOWN
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1239732
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Detected FormBook malware
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Steal Google chrome login data
Tries to detect Any.run
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Wscript starts Powershell (via cmd or directly)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 872736 Sample: Arrival_Notice_Maersk-shipp... Startdate: 22/05/2023 Architecture: WINDOWS Score: 100 58 www.gtbmeeting.com 2->58 60 www.findloveafterloss.com 2->60 62 2 other IPs or domains 2->62 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Antivirus detection for URL or domain 2->72 74 6 other signatures 2->74 13 wscript.exe 1 2->13         started        signatures3 process4 signatures5 92 VBScript performs obfuscated calls to suspicious functions 13->92 94 Wscript starts Powershell (via cmd or directly) 13->94 16 powershell.exe 15 19 13->16         started        process6 dnsIp7 56 cadesh.ca 162.210.96.124, 443, 49701, 49702 STEADFASTUS United States 16->56 66 Very long command line found 16->66 20 powershell.exe 16->20         started        22 conhost.exe 16->22         started        signatures8 process9 process10 24 ieinstal.exe 3 6 20->24         started        28 cmd.exe 1 20->28         started        30 cmd.exe 1 20->30         started        32 68 other processes 20->32 dnsIp11 64 cadesh.ca 24->64 84 Creates multiple autostart registry keys 24->84 86 Modifies the context of a thread in another process (thread injection) 24->86 88 Tries to detect Any.run 24->88 90 3 other signatures 24->90 34 explorer.exe 10 2 24->34 injected signatures12 process13 process14 36 rundll32.exe 34->36         started        40 ieinstal.exe 34->40         started        42 ieinstal.exe 34->42         started        file15 50 C:\Users\user\AppData\...\362logrv.ini, data 36->50 dropped 52 C:\Users\user\AppData\...\362logri.ini, data 36->52 dropped 76 Detected FormBook malware 36->76 78 Tries to steal Mail credentials (via file / registry access) 36->78 80 Creates multiple autostart registry keys 36->80 82 4 other signatures 36->82 44 cmd.exe 36->44         started        signatures16 process17 file18 54 C:\Users\user\AppData\Local\Temp\DB1, SQLite 44->54 dropped 96 Tries to harvest and steal browser information (history, passwords, etc) 44->96 48 conhost.exe 44->48         started        signatures19 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/49b109625db665c82ae907c02b184a90b4388caa1f1ddd2800b944a3bcf9805b/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-05-22 12:58:05 UTC
File Type:
Text (VBS)
AV detection:
2 of 24 (8.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jgyqsys5wzs4qkxja7acwgcksc2drdfkd4o52kaaxfckhphzqbnq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
03a84155093ab32f570220991ff8f30d65fa048544c4e0fd95038c730be6cec4
GuLoader
0b89806418ec582854a24adb93fba607c7f27938f2b653a081aefd1a5e419e4f
GuLoader
229acb9011d2cf600c9112b5f7d19cba56d9bf5ecc20880a6c760e10f685b244
GuLoader
3c7e3789b58b388a933c51740bcdc44c6a46bdaca5969e46b6b183294f470bd3
GuLoader
61141d9453d13d203de8255903f1aec9fea4906616f000cca0b906a58d754cca
GuLoader
6ae1f465cc7f3f76050a4dc053e821ba8b798e323ebf7d8237c9f98b59447061
GuLoader
86d7bb37384646a755a03c2f6e743483ee40d5af6f018824e89c54a9308ceecf
GuLoader
aee5d1b7326545ff692b98743e04d035e01415300fea8a5bf445d3490d6776cc
GuLoader
d167c08baf19919551b1731763974baa43a7193cfaf4704d754308d53bdb2b5e
GuLoader
+ 1'550 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:guloader campaign:wt67 downloader persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/230522-qxd5ragg34/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks QEMU agent file
Checks computer location settings
Reads user/profile data of web browsers
Adds policy Run key to start application
Blocklisted process makes network request
Formbook payload
Formbook
Guloader,Cloudeye
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/49b109625db6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/49b109625db665c82ae907c02b184a90b4388caa1f1ddd2800b944a3bcf9805b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments