MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f793f734102e69d7ac16e898a6a65f3d7eae3581c82a7fc8f853299ed18d590. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7f793f734102e69d7ac16e898a6a65f3d7eae3581c82a7fc8f853299ed18d590
SHA3-384 hash: 55bb9a6b28ec29ad6e24ba37075e653652b857568780ea75387b841c4410e152bf6e44476da0b639c35b83fb345e878a
SHA1 hash: 8c26412a87cb27ccf523d678f336f036fa72cc8b
MD5 hash: 702dfac07c9a3f3152a9db0679f53403
humanhash: king-colorado-fifteen-bakerloo
File name:doc_253554_2023.vbs
Download: download sample
Signature GuLoader
Create hunting rule
File size:80'700 bytes
First seen:2023-10-20 11:33:16 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 1536:Z4tf6TTBkXNeMfKggALIiWmw2cKX5ETiMGnouy2:Z4tf44N9fvgZzmw7WsYoD2
Threatray 2'699 similar samples on MalwareBazaar
TLSH T183737CE6EB68150E0D4F37AAEC424C95C5BCC1295522016AFFDD03CEA24A99CC37DB1E
Reporter abuse_ch
Tags:GuLoader vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.VB.Trojan.Valyria.8579.7992.6543.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/653265ae368548c1702fb41c/reports/818e4f14-eb29-459c-9272-ca9a10d20118/overview
Verdict:
Malicious
Labled as:
Valyria
Link:
https://www.hybrid-analysis.com/sample/7f793f734102e69d7ac16e898a6a65f3d7eae3581c82a7fc8f853299ed18d590
Result
Verdict:
MALICIOUS
Result
Threat name:
GuLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1329235
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Suspicious powershell command line found
Uses dynamic DNS services
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected GuLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1329235 Sample: doc_253554_2023.vbs Startdate: 20/10/2023 Architecture: WINDOWS Score: 100 23 bantubusta0816.ddns.net 2->23 25 geoplugin.net 2->25 27 cdn.discordapp.com 2->27 35 Found malware configuration 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus detection for URL or domain 2->39 41 5 other signatures 2->41 9 wscript.exe 1 2->9         started        signatures3 process4 signatures5 43 VBScript performs obfuscated calls to suspicious functions 9->43 45 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 9->45 47 Suspicious powershell command line found 9->47 49 4 other signatures 9->49 12 powershell.exe 16 9->12         started        process6 signatures7 51 Suspicious powershell command line found 12->51 53 Very long command line found 12->53 15 powershell.exe 21 12->15         started        18 conhost.exe 12->18         started        process8 signatures9 55 Writes to foreign memory regions 15->55 57 Maps a DLL or memory area into another process 15->57 59 Found suspicious powershell code related to unpacking or dynamic code loading 15->59 20 wab.exe 6 13 15->20         started        process10 dnsIp11 29 bantubusta0816.ddns.net 172.94.4.196, 49719, 6699 M247GB United States 20->29 31 cdn.discordapp.com 162.159.130.233, 443, 49711, 49712 CLOUDFLARENETUS United States 20->31 33 geoplugin.net 178.237.33.50, 49721, 80 ATOM86-ASATOM86NL Netherlands 20->33
Score:
99%
Verdict:
Malware
File Type:
ASCII
Link:
https://malprob.io/report/7f793f734102e69d7ac16e898a6a65f3d7eae3581c82a7fc8f853299ed18d590
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7f793f734102e69d7ac16e898a6a65f3d7eae3581c82a7fc8f853299ed18d590/
Threat name:
Script-WScript.Trojan.Valyria
Create hunting rule
Status:
Malicious
First seen:
2023-10-19 04:27:25 UTC
File Type:
Text (VBS)
AV detection:
5 of 23 (21.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p54t642baltj26wbn2eyu2tf6pl6vy2ydsbkp7epquzjt3iy2wia._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
cloudeye
Create hunting rule
Similar samples:
045b514767dbbe5c411284ea83b2d47b62b1f7a258f866871bfebc14667ef5e6
GuLoader
1aee775c13151f0853c02dbd804ad25f1ea6b3c5db6312760d67af89e689845a
GuLoader
475355b8bf2f2a68293c808cf959de00a8e04d6f48871a5a1fccaf9d318570fa
GuLoader
55eebc888e9151e28295587ff7c12c40f8b7ae5f23d29bac79c6444277940a6a
GuLoader
6ecf9fda65dc1a4a9c7610510ac9f78a6663e75d736a8444c72e11a0cc8d8d46
GuLoader
7076d5e0459c068bc798fb168a91c4f33f2895e52356946da3f7617b7fc28b57
GuLoader
b94bcb3ea1cef8b1759856c06c57264332223216fda926fdb58bc848e5a5494d
GuLoader
e32a2cbc74a18c6807c21d5c8c72c5c315b9fdbf71792bb5f0feefb1ef61c509
GuLoader
e479c0b49b6fe13242fc767e1db58067b61e4c16ff7068d3b39c4d8c2836428f
GuLoader
+ 2'689 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231020-npfbqsac61/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7f793f734102/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7f793f734102e69d7ac16e898a6a65f3d7eae3581c82a7fc8f853299ed18d590

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments