MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 96efbe17519d61efe496397b6eac6aed9117d9cec0276b454f2fa192075337ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 96efbe17519d61efe496397b6eac6aed9117d9cec0276b454f2fa192075337ff
SHA3-384 hash: 78e29400655916366ef02b54f2277dbccbbd180b12564153a3e0d120258dadd18003d561d58709e02819054d7e99ff5d
SHA1 hash: 3dd153fff90808e2d2897043f9403c0c6cca65d1
MD5 hash: 94d41172eb8e9fb7a0173d1124762df0
humanhash: montana-lake-hamper-south
File name:BOVswiftCOpy01032022.vbs
Download: download sample
Signature GuLoader
Create hunting rule
File size:202'272 bytes
First seen:2022-03-02 07:24:41 UTC
Last seen:2022-03-02 14:51:54 UTC
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 1536:uLsyFqBEgRGjOxWP7/2JCVFHt/QcMZS5R0nZXtwP8nfwgckItsvmmUKFe3hH4MFw:u1GxWj2Utd5q1b5FU7JuV8XnOR9Z
TLSH T19A14845F4035574BEB346B914E3ABBA5892AF9EED7D65287033C549F2F2D828823304D
Reporter abuse_ch
Tags:GuLoader vbs

Intelligence

File Origin
# of uploads :
2
# of downloads :
253
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/246130/
Detection(s):
SecuriteInfo.com.BehavesLike.VBS.Dropper.cv.4244.28722.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/621f1bd8b94fb38cb436373f/reports/0b2952a7-2d3c-49c5-a609-1faa1c76e135/overview
Result
Verdict:
MALICIOUS
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Result
Threat name:
FormBook GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/948878
Signature
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Found malware configuration
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Potential malicious VBS script found (has network functionality)
Potential malicious VBS script found (suspicious strings)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Wscript starts Powershell (via cmd or directly)
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 581360 Sample: BOVswiftCOpy01032022.vbs Startdate: 02/03/2022 Architecture: WINDOWS Score: 100 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Yara detected GuLoader 2->47 49 7 other signatures 2->49 9 wscript.exe 2 2->9         started        process3 signatures4 51 VBScript performs obfuscated calls to suspicious functions 9->51 53 Wscript starts Powershell (via cmd or directly) 9->53 55 Very long command line found 9->55 57 Encrypted powershell cmdline option found 9->57 12 powershell.exe 25 9->12         started        process5 signatures6 59 Tries to detect Any.run 12->59 61 Hides threads from debuggers 12->61 15 ieinstal.exe 6 12->15         started        19 csc.exe 3 12->19         started        22 conhost.exe 12->22         started        process7 dnsIp8 33 juntariolongavi.cl 186.64.116.10, 443, 49791 ZAMLTDACL Chile 15->33 35 Modifies the context of a thread in another process (thread injection) 15->35 37 Tries to detect Any.run 15->37 39 Maps a DLL or memory area into another process 15->39 41 3 other signatures 15->41 24 explorer.exe 15->24 injected 31 C:\Users\user\AppData\Local\...\swrgywjy.dll, PE32 19->31 dropped 26 cvtres.exe 1 19->26         started        file9 signatures10 process11 process12 28 wscript.exe 24->28         started        signatures13 63 Tries to detect virtualization through RDTSC time measurements 28->63
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/96efbe17519d61efe496397b6eac6aed9117d9cec0276b454f2fa192075337ff/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s3x34f2rtvq67zewhf5w5ldk5wirpwooyatwwrkpf6qzeb2tg77q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
cloudeye
Create hunting rule
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:guloader campaign:krnb downloader persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/220302-h8zxladgf9/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks QEMU agent file
Checks computer location settings
Adds policy Run key to start application
Formbook Payload
Formbook
Guloader,Cloudeye
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/96efbe17519d61efe496397b6eac6aed9117d9cec0276b454f2fa192075337ff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/246130/

Comments