MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 53d67f71ad1dced9a60bf3c17a20b426d0a8966c5f0a377462565b3aa6528296. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 53d67f71ad1dced9a60bf3c17a20b426d0a8966c5f0a377462565b3aa6528296
SHA3-384 hash: 8f977c3014d8c1b41741c811dd43cd0d9265cad280926fe82798c07737b28692d16047e83d4aa75536f05e7314f99bca
SHA1 hash: 995348102d8a4e2d2ce3a8b375ad5d2bbe29853d
MD5 hash: 009b77f686b5a88e7c7b4a05b9bb6cb5
humanhash: connecticut-grey-mountain-quebec
File name:doc189478202003180817411122023_pdf_(991KB).vbs
Download: download sample
Signature GuLoader
Create hunting rule
File size:388'573 bytes
First seen:2023-12-11 15:17:10 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 6144:/cXWEsCh38/W79i9dxFy3L/NflTUJfMWbKI/wWAdEgLxF4sfH0lW3MKfivWV:/cXRsyEc/ZNI41d2sOWpCWV
Threatray 663 similar samples on MalwareBazaar
TLSH T1E0847DA1EF58161D0D4B3BEADC424C91C5BDC12A5927012AFEED13DEA10B95CD3BEB09
Reporter abuse_ch
Tags:GuLoader vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/465472/
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm sload virus
Link:
https://www.filescan.io/uploads/65772dc981a3a8ec606e7ee7/reports/b4eb4d34-20bf-4515-813f-1cd053c1713c/overview
Verdict:
Suspicious
Labled as:
Trojan.VBS.SAgent
Link:
https://www.hybrid-analysis.com/sample/53d67f71ad1dced9a60bf3c17a20b426d0a8966c5f0a377462565b3aa6528296
Result
Verdict:
MALICIOUS
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1359703
Signature
Potential malicious VBS script found (suspicious strings)
Powershell uses Background Intelligent Transfer Service (BITS)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Suspicious powershell command line found
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1359703 Sample: doc189478202003180817411122... Startdate: 12/12/2023 Architecture: WINDOWS Score: 72 27 empercudiera.sa.com 2->27 33 Potential malicious VBS script found (suspicious strings) 2->33 9 wscript.exe 1 2->9         started        12 svchost.exe 1 83 2->12         started        signatures3 process4 dnsIp5 35 VBScript performs obfuscated calls to suspicious functions 9->35 37 Suspicious powershell command line found 9->37 39 Wscript starts Powershell (via cmd or directly) 9->39 41 2 other signatures 9->41 15 powershell.exe 12 9->15         started        29 127.0.0.1 unknown unknown 12->29 signatures6 process7 signatures8 43 Suspicious powershell command line found 15->43 45 Very long command line found 15->45 18 powershell.exe 21 15->18         started        21 conhost.exe 15->21         started        23 cmd.exe 1 15->23         started        process9 signatures10 31 Powershell uses Background Intelligent Transfer Service (BITS) 18->31 25 cmd.exe 1 18->25         started        process11
Score:
99%
Verdict:
Malware
File Type:
ASCII
Link:
https://malprob.io/report/53d67f71ad1dced9a60bf3c17a20b426d0a8966c5f0a377462565b3aa6528296
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/53d67f71ad1dced9a60bf3c17a20b426d0a8966c5f0a377462565b3aa6528296/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kplh64nndxhntjql6paxuifue3ikrftml4fdo5dckzntvjssqkla._file
Verdict:
unknown
Similar samples:
1c8ba53a0df3d48bd031a348f36b5d75ac78db8d94987a3368a9c49429b47222
GuLoader
26e297f8f4bf5837af4c8b5132598c2eed45245c4f6baf0e8c960ff2a555989e
GuLoader
404a9d49d8522e19080af0cb183134fc058120e30fa38f5b8234eeb583c6f079
GuLoader
7384dec8a7a13e1709dff93154c0cd796055798a19fe470f30c211a991d46849
GuLoader
87889f8e467ad320665a7205170c8f238076d87303822694d3064b9511913169
GuLoader
92ce47945cd3524d616b5ebc20899479c6a9fae199169322a24290d19e9adfb0
GuLoader
afb2d85d5726a65aca9ac9d2e1574ee7da80942db1bbcb4a1594b40339ba84d6
GuLoader
b94bcb3ea1cef8b1759856c06c57264332223216fda926fdb58bc848e5a5494d
GuLoader
e479c0b49b6fe13242fc767e1db58067b61e4c16ff7068d3b39c4d8c2836428f
GuLoader
f68f1af4eb16d6d185899ace2e951c196a80591bde4134cf290e69eea91d5472
GuLoader
+ 653 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader persistence
Link:
https://tria.ge/reports/231211-synrpaagdq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Blocklisted process makes network request
Guloader,Cloudeye
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/53d67f71ad1dced9a60bf3c17a20b426d0a8966c5f0a377462565b3aa6528296

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Visual Basic Script (vbs) vbs 53d67f71ad1dced9a60bf3c17a20b426d0a8966c5f0a377462565b3aa6528296

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/465472/

Comments