MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b3b697f1100c8c075aaf74d735416c94ff4e6a4940dccf111c7183ea8a098739. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



GuLoader


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash: b3b697f1100c8c075aaf74d735416c94ff4e6a4940dccf111c7183ea8a098739
SHA3-384 hash: 182b201378e2f2a7610ad46ebcf0c591a2c4943a862ffbf16483b986a218e5ff8b88301b515e617d881728b14f9767fb
SHA1 hash: 1cd9bd7e344ec011fbc6845baa23ff153dbe411c
MD5 hash: 3c52d7ffb4986a984b59a905600e96b5
humanhash: white-ten-spaghetti-echo
File name:DOC 009323.vbs
Download: download sample
Signature GuLoader
File size:166'746 bytes
First seen:2022-02-11 10:03:21 UTC
Last seen:2022-02-14 11:05:11 UTC
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 1536:hsse3tiE0aLGyNXc0++iKRf0GP3FKqfV4UoYXHdvAAcIbbZ8DHFVDXCovJ1aGUQF:KfIwJNo+VJxWDPFFOVfOUlTFa
TLSH T108F380A5D86837B1DB346A8EDC83B7A702B1F10256DA218B11958D0FCFDEB51A607C1F
Reporter @lowmal3
Tags:GuLoader vbs

Intelligence


File Origin
# of uploads :
4
# of downloads :
339
Origin country :
DE DE
Mail intelligence
No data
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive phishing powershell sload valyria
Result
Verdict:
MALICIOUS
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Malicious Scriptlet 2 of 7
Detected a malicious pivot typically seen during the 'file-less' pivot commonly seen in malware carriers.
Result
Threat name:
AgentTesla GuLoader
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Encrypted powershell cmdline option found
Found malware configuration
Hides threads from debuggers
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potential malicious VBS script found (has network functionality)
Potential malicious VBS script found (suspicious strings)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Very long command line found
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Yara detected GuLoader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 570635 Sample: DOC 009323.vbs Startdate: 11/02/2022 Architecture: WINDOWS Score: 100 30 xbswea.bn.files.1drv.com 2->30 32 onedrive.live.com 2->32 34 2 other IPs or domains 2->34 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Antivirus detection for URL or domain 2->56 58 9 other signatures 2->58 9 wscript.exe 2 2->9         started        signatures3 process4 signatures5 60 Wscript starts Powershell (via cmd or directly) 9->60 62 Very long command line found 9->62 64 Encrypted powershell cmdline option found 9->64 12 powershell.exe 24 9->12         started        process6 signatures7 66 Tries to detect Any.run 12->66 68 Hides threads from debuggers 12->68 15 CasPol.exe 18 19 12->15         started        19 CasPol.exe 12->19         started        21 csc.exe 3 12->21         started        24 4 other processes 12->24 process8 dnsIp9 36 api.telegram.org 149.154.167.220, 443, 49828, 49829 TELEGRAMRU United Kingdom 15->36 38 Tries to steal Mail credentials (via file / registry access) 15->38 40 Tries to harvest and steal ftp login credentials 15->40 42 Tries to harvest and steal browser information (history, passwords, etc) 15->42 50 3 other signatures 15->50 44 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 19->44 46 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 19->46 48 Contains functionality to register a low level keyboard hook 19->48 28 C:\Users\user\AppData\Local\...\xoedazss.dll, PE32 21->28 dropped 26 cvtres.exe 1 21->26         started        file10 signatures11 process12
Threat name:
Script-WScript.Trojan.Valyria
Status:
Malicious
First seen:
2022-02-11 10:04:11 UTC
File Type:
Text (VBS)
AV detection:
8 of 41 (19.51%)
Threat level:
  5/5
Verdict:
malicious
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Checks computer location settings

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:exec_macros
Author:ddvvmmzz
Description:exec macros
Rule name:obfuscate_macros
Author:ddvvmmzz
Description:obfuscate macros

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Visual Basic Script (vbs) vbs b3b697f1100c8c075aaf74d735416c94ff4e6a4940dccf111c7183ea8a098739

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments