MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ae1f465cc7f3f76050a4dc053e821ba8b798e323ebf7d8237c9f98b59447061. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6ae1f465cc7f3f76050a4dc053e821ba8b798e323ebf7d8237c9f98b59447061
SHA3-384 hash: 2ad5a8151fa26593256ab55e66dd507cf88f2399543d330b2bdcce6af775ec226cc2329aff8613062e3531d434ec5ca0
SHA1 hash: 56712634146c53ebb6a52d12af386f9ade039f11
MD5 hash: bbd1e6d9b49df8ccdf3f905613b251b4
humanhash: timing-ohio-december-magnesium
File name:MT103SWIFT_83738883746467_737466477282736637.vbs
Download: download sample
Signature GuLoader
Create hunting rule
File size:69'811 bytes
First seen:2023-05-16 11:09:07 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 1536:7EzWS9zOHmu8cAoNTx9DJGbcoQYf03+G2rzK+:IUHmu8cAoNTx9DJGb6Yf03+G4zF
Threatray 1'484 similar samples on MalwareBazaar
TLSH T123632B54CFE916390E072BEFBE01555084F896AD822580BCE5ED077F5113A6CC7BFAA8
Reporter abuse_ch
Tags:GuLoader vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
110
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/390423/
Detection(s):
SecuriteInfo.com.Script.SNH-gen.11163.9242.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6463648cf8664fd7d8d9c826/reports/f428f56d-0dbb-4e6c-b340-b1f38497ef90/overview
Verdict:
Malicious
Labled as:
Trojan.VBS.SAgent
Link:
https://www.hybrid-analysis.com/sample/6ae1f465cc7f3f76050a4dc053e821ba8b798e323ebf7d8237c9f98b59447061
Result
Verdict:
UNKNOWN
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1234485
Signature
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Wscript starts Powershell (via cmd or directly)
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 867466 Sample: MT103SWIFT_83738883746467_7... Startdate: 16/05/2023 Architecture: WINDOWS Score: 88 30 Malicious sample detected (through community Yara rule) 2->30 32 Multi AV Scanner detection for submitted file 2->32 34 Yara detected GuLoader 2->34 36 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->36 8 wscript.exe 1 2->8         started        process3 signatures4 40 VBScript performs obfuscated calls to suspicious functions 8->40 42 Wscript starts Powershell (via cmd or directly) 8->42 11 powershell.exe 15 19 8->11         started        process5 dnsIp6 28 cadesh.ca 162.210.96.124, 443, 49702 STEADFASTUS United States 11->28 44 Very long command line found 11->44 15 powershell.exe 11->15         started        17 conhost.exe 11->17         started        signatures7 process8 process9 19 ieinstal.exe 15->19         started        22 cmd.exe 1 15->22         started        24 cmd.exe 1 15->24         started        26 68 other processes 15->26 signatures10 38 Tries to detect Any.run 19->38
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6ae1f465cc7f3f76050a4dc053e821ba8b798e323ebf7d8237c9f98b59447061/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-05-16 10:27:06 UTC
File Type:
Text (VBS)
AV detection:
1 of 37 (2.70%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nlq7izomp47xmbikjxafh2bbxkfxtdrsh27x3arxzh4ywwkeobqq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0b89806418ec582854a24adb93fba607c7f27938f2b653a081aefd1a5e419e4f
GuLoader
175afe9e12a511bbd4b611c0c8d57c2279ba00357870187d7bdf8cb20fcbaf82
GuLoader
24552144f5fb02e6e73e46581a16dfd23eaffa02b90781f34f0b3692cab926d4
GuLoader
3c7e3789b58b388a933c51740bcdc44c6a46bdaca5969e46b6b183294f470bd3
GuLoader
651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0
GuLoader
6afbb9ebc94ae5fbc1a98207af3ce84dec75c243605ebbd6b15b721165e4130a
GuLoader
d167c08baf19919551b1731763974baa43a7193cfaf4704d754308d53bdb2b5e
GuLoader
ee06ec93a5853e2753e8c758fda076944b7cb7cc657fb249b03d28cbc45db077
GuLoader
f0ce6536bd8f80c0ee0ff1a246fd8447514906a38d4d24ec0d373c814180f9fb
GuLoader
+ 1'474 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:guloader campaign:wt67 downloader persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/230516-m9p61ahe3z/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks QEMU agent file
Checks computer location settings
Reads user/profile data of web browsers
Adds policy Run key to start application
Blocklisted process makes network request
Formbook payload
Formbook
Guloader,Cloudeye
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Visual Basic Script (vbs) vbs 6ae1f465cc7f3f76050a4dc053e821ba8b798e323ebf7d8237c9f98b59447061

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/390423/

Comments