MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ed4c0b2e67a048fea0163a19588d4cf3ae469b62cbf8536cb6c2a213cbfd56f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 7


Intelligence 7 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6ed4c0b2e67a048fea0163a19588d4cf3ae469b62cbf8536cb6c2a213cbfd56f
SHA3-384 hash: b30cc7d7c2a7da2b0e3795dd9cad1d2bc3437f2e38eae29b91ed570cd9baadf9b631b5e2dda0a45185d4477b4f32747c
SHA1 hash: 235f285825ac621f16f8fc98664a1c226f1a4d68
MD5 hash: 49ed597d3e71dee0ced6c17c9ecc5ee9
humanhash: three-dakota-carolina-muppet
File name:Document-19-25-24.js
Download: download sample
Signature GuLoader
Create hunting rule
File size:728'103 bytes
First seen:2024-09-12 19:37:59 UTC
Last seen:2024-09-17 14:52:32 UTC
File type:Java Script (JS) js
MIME type:application/json
ssdeep 12288:5YOoheqQXmtqSElhoXJ/r2tiT+059vIkd08brxp+0:5to8vhBE5/r/T+051Q+xpr
TLSH T1B7F45B60FA4401661E83579F9C6256D2FD3CD21193022228E99E439D2F875ECD3BDBAF
TrID 50.6% (.CRYPROJECT) CryEngine Project (generic) (20000/1/7)
31.6% (.PZ2) Poser pose (12500/1/4)
17.7% (.TSS) T'SoundSystem Source (with rem) (7000/1/2)
Magika txt
Reporter k3dg3___
Tags:193-203-203-40 GuLoader js Latrodectus


Avatar
k3dg3
PDF > JS > hxxp://193.203.203.40/vfs.msi

Intelligence

File Origin
# of uploads :
2
# of downloads :
168
Origin country :
US US
Vendor Threat Intelligence
Verdict:
Clean
Score:
82.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66e349ad76bc4542b0498afd
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin masquerade remote shell32
Link:
https://www.filescan.io/uploads/66e343228c40ae392b3e144d/reports/824b771b-949b-4c35-a43a-40e094e08c19/overview
Verdict:
Suspicious
Labled as:
JS/DwnLdr
Link:
https://www.hybrid-analysis.com/sample/6ed4c0b2e67a048fea0163a19588d4cf3ae469b62cbf8536cb6c2a213cbfd56f
Result
Verdict:
UNKNOWN
Result
Threat name:
Latrodectus
Create hunting rule
Detection:
malicious
Classification:
evad.spre.bank.troj.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1510440
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks if browser processes are running
Contains functionality to steal Internet Explorer form passwords
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Performs a network lookup / discovery via net view
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ipconfig to lookup or modify the Windows network settings
Uses net.exe to modify the status of services
Uses whoami command line tool to query computer and username
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected Generic JS Downloader
Yara detected Latrodectus
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1510440 Sample: Document-19-25-24.js Startdate: 12/09/2024 Architecture: WINDOWS Score: 100 88 wernugemar.com 2->88 90 opengameirar.com 2->90 92 isomicrotich.com 2->92 104 Suricata IDS alerts for network traffic 2->104 106 Found malware configuration 2->106 108 Antivirus detection for URL or domain 2->108 110 5 other signatures 2->110 13 msiexec.exe 14 38 2->13         started        18 wscript.exe 1 2->18         started        20 rundll32.exe 2->20         started        signatures3 process4 dnsIp5 94 193.203.203.40, 49705, 80 SEAP-AGEES Russian Federation 13->94 74 C:\Windows\Installer\MSIE21D.tmp, PE32 13->74 dropped 76 C:\Windows\Installer\MSIDE90.tmp, PE32 13->76 dropped 78 C:\Windows\Installer\MSIDE60.tmp, PE32 13->78 dropped 80 3 other files (none is malicious) 13->80 dropped 124 Drops executables to the windows directory (C:\Windows) and starts them 13->124 22 MSIE21D.tmp 1 13->22         started        24 msiexec.exe 13->24         started        126 Windows Scripting host queries suspicious COM object (likely to drop second stage) 18->126 file6 signatures7 process8 process9 26 rundll32.exe 22->26         started        process10 28 rundll32.exe 2 26->28         started        file11 70 C:\Users\user\AppData\...\Update_915a6a2a.dll, PE32+ 28->70 dropped 72 :wtfbbq (copy), PE32+ 28->72 dropped 120 Checks if browser processes are running 28->120 122 Contains functionality to steal Internet Explorer form passwords 28->122 32 rundll32.exe 22 28->32         started        signatures12 process13 dnsIp14 82 wernugemar.com 172.67.162.13, 443, 49724, 49725 CLOUDFLARENETUS United States 32->82 84 opengameirar.com 188.114.96.3, 443, 49719, 49720 CLOUDFLARENETUS European Union 32->84 86 isomicrotich.com 188.114.97.3, 443, 49714, 49715 CLOUDFLARENETUS European Union 32->86 96 System process connects to network (likely due to code injection or exploit) 32->96 98 Tries to steal Mail credentials (via file / registry access) 32->98 100 Tries to harvest and steal browser information (history, passwords, etc) 32->100 36 cmd.exe 1 32->36         started        39 cmd.exe 1 32->39         started        41 cmd.exe 32->41         started        43 9 other processes 32->43 signatures15 process16 signatures17 112 Uses net.exe to modify the status of services 36->112 114 Uses ipconfig to lookup or modify the Windows network settings 36->114 116 Uses whoami command line tool to query computer and username 36->116 45 conhost.exe 36->45         started        47 ipconfig.exe 1 36->47         started        49 systeminfo.exe 2 1 39->49         started        52 conhost.exe 39->52         started        118 Performs a network lookup / discovery via net view 41->118 60 2 other processes 41->60 54 net.exe 43->54         started        56 net.exe 43->56         started        58 conhost.exe 43->58         started        62 13 other processes 43->62 process18 signatures19 102 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 49->102 64 WmiPrvSE.exe 49->64         started        66 net1.exe 54->66         started        68 net1.exe 56->68         started        process20
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/6ed4c0b2e67a048fea0163a19588d4cf3ae469b62cbf8536cb6c2a213cbfd56f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6ed4c0b2e67a048fea0163a19588d4cf3ae469b62cbf8536cb6c2a213cbfd56f/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n3kmbmxgpici72qbmoqzlcguz45oi2nwfs7yknwlnqvccpf72vxq._file
Result
Malware family:
latrodectus
Create hunting rule
Score:
  10/10
Tags:
family:latrodectus discovery execution loader
Link:
https://tria.ge/reports/240912-yvd1zasanm/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Command and Scripting Interpreter: JavaScript
System Location Discovery: System Language Discovery
Drops file in Windows directory
Blocklisted process makes network request
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Detects Latrodectus
Latrodectus loader
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/6ed4c0b2e67a048fea0163a19588d4cf3ae469b62cbf8536cb6c2a213cbfd56f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_APT29_WINELOADER_Backdoor
Create hunting rule
Author:daniyyell
Description:Detects APT29's WINELOADER backdoor variant used in phishing campaigns, this rule also detect bad pdf,shtml,htm and vbs or maybe more depends
Reference:https://cloud.google.com/blog/topics/threat-intelligence/apt29-wineloader-german-political-parties
Rule name:GuLoader
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:unknown_dropper
Create hunting rule
Author:#evilcel3ri
Description:Detects an unknown dropper

File information

The table below shows additional information about this malware sample such as delivery method and external references.

b6b610a367e7a20eddac6170779df88fadd2c04d1c1185d3349b69bfefb99e8d

GuLoader

Java Script (JS) js 6ed4c0b2e67a048fea0163a19588d4cf3ae469b62cbf8536cb6c2a213cbfd56f

(this sample)

Latrodectus

Executable exe 2333dd858fc40899a1bff3fb39fbc0b4e65a864bfd4eb73c26b48aaddcca7061

Latrodectus

Microsoft Software Installer (MSI) msi f60c7e2cd7078584e1fb2eacd6270c314f1e23f76a4cd78c5d13eec215f0e41c

  
Dropped by
SHA256 b6b610a367e7a20eddac6170779df88fadd2c04d1c1185d3349b69bfefb99e8d
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 f60c7e2cd7078584e1fb2eacd6270c314f1e23f76a4cd78c5d13eec215f0e41c
  
Dropping
MD5 c017277279dada1b9653bc6838019952
  
Dropped by
SHA256 2f7c4b3bddfcdd2992151c83f85d23fcb886035fb8f477e6c1caba134420bf2e
  
Dropped by
MD5 c48c883ccf4b2e18e23e576bbc8c6bba

Comments