MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4ff488e6f002262f237fb5c6b2bf98e4de8382b381b4cc32af42a4e19b42ee5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b4ff488e6f002262f237fb5c6b2bf98e4de8382b381b4cc32af42a4e19b42ee5
SHA3-384 hash: ec4e68c044c5ae7f92fb5f9b756bfa1a0a71bc870665560e7fea8d473dd98ec637c8c2076b2041f84c5ba9b9d2abbe3f
SHA1 hash: efd82920531cbedef426e25d504fbd5934e0a098
MD5 hash: 52f03b2cdebf0c1719b8b795a94e921c
humanhash: ohio-golf-bravo-tennis
File name:vbc.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:106'496 bytes
First seen:2021-09-30 14:21:38 UTC
Last seen:2021-09-30 15:02:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a587116cc4241097b364fa915d1c4c46 (6 x GuLoader)
ssdeep 1536:nenDEBl3C6awbEsG8i/u9Qzrhb9tyVLyJ0VfpYEnYg2t82F:enyZMTRtwg0VVAF
TLSH T1ABA33982F0E2DD8DD111067F98D24DF06919AFD0D87A0653A39AFEDE3BBA14CDA6C111
File icon (PE):PE icon
dhash icon 1003873d31213f10 (142 x DarkCloud, 132 x GuLoader, 35 x a310Logger)
Reporter James_inthe_box
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ReminderStatement - 22387.xlsx
Verdict:
Malicious activity
Analysis date:
2021-09-30 11:38:51 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/2b703d3f-aded-49a7-b5c6-9d31287d6595

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/193677/
Detection(s):
SecuriteInfo.com.Trojan.PackedENT.235.16171.17502.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e0bfb2e8-0e29-453b-abce-eae4b77aaf63
Result
Threat name:
GuLoader FormBook
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/861971
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Found malware configuration
GuLoader behavior detected
Hides threads from debuggers
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential malicious icon found
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1439 Sample: vbc.exe Startdate: 30/09/2021 Architecture: WINDOWS Score: 100 56 www.vi88.info 2->56 58 www.vertuminy.com 2->58 60 41 other IPs or domains 2->60 76 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->76 78 Potential malicious icon found 2->78 80 Found malware configuration 2->80 82 12 other signatures 2->82 11 vbc.exe 1 1 2->11         started        signatures3 process4 signatures5 100 Creates autostart registry keys with suspicious values (likely registry only malware) 11->100 102 Creates multiple autostart registry keys 11->102 104 Tries to detect Any.run 11->104 106 Hides threads from debuggers 11->106 14 vbc.exe 9 11->14         started        process6 dnsIp7 68 185.222.58.118, 49723, 49777, 49781 ROOTLAYERNETNL Netherlands 14->68 108 Modifies the context of a thread in another process (thread injection) 14->108 110 Tries to detect Any.run 14->110 112 Maps a DLL or memory area into another process 14->112 114 3 other signatures 14->114 18 explorer.exe 3 6 14->18 injected signatures8 process9 dnsIp10 62 www.ideemimarlikinsaat.com 178.18.193.120, 49732, 49749, 49785 VARGONENTR Turkey 18->62 64 www.hsvfingerprinting.com 192.185.0.218, 49774, 49775, 80 UNIFIEDLAYER-AS-1US United States 18->64 66 22 other IPs or domains 18->66 50 C:\Users\user\...\7no03lkxedwtor58.exe, PE32 18->50 dropped 84 System process connects to network (likely due to code injection or exploit) 18->84 86 Benign windows process drops PE files 18->86 23 msiexec.exe 1 12 18->23         started        26 7no03lkxedwtor58.exe 1 18->26         started        28 7no03lkxedwtor58.exe 1 18->28         started        30 7no03lkxedwtor58.exe 1 18->30         started        file11 signatures12 process13 signatures14 88 Tries to steal Mail credentials (via file access) 23->88 90 Self deletion via cmd delete 23->90 92 Creates multiple autostart registry keys 23->92 98 5 other signatures 23->98 32 cmd.exe 2 23->32         started        35 cmd.exe 1 23->35         started        37 firefox.exe 23->37         started        94 Tries to detect Any.run 26->94 96 Hides threads from debuggers 26->96 39 7no03lkxedwtor58.exe 7 26->39         started        42 7no03lkxedwtor58.exe 7 28->42         started        44 7no03lkxedwtor58.exe 7 30->44         started        process15 file16 70 Tries to harvest and steal browser information (history, passwords, etc) 32->70 46 conhost.exe 32->46         started        48 conhost.exe 35->48         started        52 C:\Users\user\AppData\Local\...\juster.exe, PE32 39->52 dropped 54 C:\Users\user\AppData\Local\...\juster.vbs, ASCII 39->54 dropped 72 Tries to detect Any.run 39->72 74 Hides threads from debuggers 39->74 signatures17 process18
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b4ff488e6f002262f237fb5c6b2bf98e4de8382b381b4cc32af42a4e19b42ee5/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-09-30 08:27:52 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Verdict:
malicious
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/210930-rpkg8saafr/
Behaviour
Suspicious use of SetWindowsHookEx
Uses the VBS compiler for execution
Guloader,Cloudeye
Unpacked files
SH256 hash:
b4ff488e6f002262f237fb5c6b2bf98e4de8382b381b4cc32af42a4e19b42ee5
MD5 hash:
52f03b2cdebf0c1719b8b795a94e921c
SHA1 hash:
efd82920531cbedef426e25d504fbd5934e0a098
Link:
https://www.unpac.me/results/1e822dd3-ba2b-4b02-a206-47776956a8db/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/b4ff488e6f002262f237fb5c6b2bf98e4de8382b381b4cc32af42a4e19b42ee5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
  
URLhaus
https://urlhaus.abuse.ch/url/1647635/
Cape
Cape
https://www.capesandbox.com/analysis/193677/

Comments