MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c43aa71f1636522145ea3e384b2546d5a589260cd7a2cc42688dda5944215b68. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c43aa71f1636522145ea3e384b2546d5a589260cd7a2cc42688dda5944215b68
SHA3-384 hash: ef603b359fd3c763defa5ae28e2c1adb6267463d47ffdf58c6dc117f41593c4bb7fef2f0c2634a81ad8be2d4b107dcf8
SHA1 hash: b65ef6cf8e46d38e2ab287f6584c8d456c36202d
MD5 hash: fc612d46cca59534577f51b16710b323
humanhash: beryllium-glucose-yellow-december
File name:heteronymous.vbs
Download: download sample
Signature GuLoader
Create hunting rule
File size:73'455 bytes
First seen:2024-12-31 08:26:27 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 1536:ggz3v5pA6TiWl+GJFQdGJVfYRFSlntJOEDy:ggj5aUie+oQwJ5YRECEDy
TLSH T110734B62EF68066B0E4A279AFD542E86C57CC205452768E1FECD030D610B8ACE3FE31D
Magika vba
Reporter abuse_ch
Tags:GuLoader vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
115
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.PUA.VBS.Agent-3.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6773aadf74a2bd296e24b76d
Tags:
xtreme virus sage
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
evasive
Link:
https://www.filescan.io/uploads/6773aadd2246515fb584486e/reports/1b2ce487-e7f6-42ab-8ad3-591aed4fd581/overview
Verdict:
Malicious
Labled as:
Trojan_VBS_GuLoader_RTEV_MTB
Link:
https://www.hybrid-analysis.com/sample/c43aa71f1636522145ea3e384b2546d5a589260cd7a2cc42688dda5944215b68
Result
Verdict:
UNKNOWN
Result
Threat name:
Remcos, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1582685
Signature
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Detected Remcos RAT
Early bird code injection technique detected
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Potential malicious VBS script found (suspicious strings)
Queues an APC in another process (thread injection)
Sigma detected: Remcos
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file registry)
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1582685 Sample: heteronymous.vbs Startdate: 31/12/2024 Architecture: WINDOWS Score: 100 30 geoplugin.net 2->30 32 fo2xc.icu 2->32 40 Suricata IDS alerts for network traffic 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 11 other signatures 2->46 8 powershell.exe 17 2->8         started        11 wscript.exe 1 2->11         started        signatures3 process4 signatures5 50 Early bird code injection technique detected 8->50 52 Writes to foreign memory regions 8->52 54 Found suspicious powershell code related to unpacking or dynamic code loading 8->54 56 Queues an APC in another process (thread injection) 8->56 13 msiexec.exe 3 13 8->13         started        17 conhost.exe 8->17         started        58 VBScript performs obfuscated calls to suspicious functions 11->58 60 Suspicious powershell command line found 11->60 62 Wscript starts Powershell (via cmd or directly) 11->62 64 2 other signatures 11->64 19 powershell.exe 14 18 11->19         started        process6 dnsIp7 34 154.216.18.62, 2404, 49932, 49942 SKHT-ASShenzhenKatherineHengTechnologyInformationCo Seychelles 13->34 36 geoplugin.net 178.237.33.50, 49943, 80 ATOM86-ASATOM86NL Netherlands 13->36 66 Detected Remcos RAT 13->66 68 Tries to steal Mail credentials (via file registry) 13->68 70 Maps a DLL or memory area into another process 13->70 21 msiexec.exe 2 13->21         started        24 msiexec.exe 1 13->24         started        26 msiexec.exe 1 13->26         started        38 fo2xc.icu 172.67.136.42, 443, 49713, 49905 CLOUDFLARENETUS United States 19->38 72 Found suspicious powershell code related to unpacking or dynamic code loading 19->72 28 conhost.exe 19->28         started        signatures8 process9 signatures10 48 Tries to harvest and steal browser information (history, passwords, etc) 21->48
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/c43aa71f1636522145ea3e384b2546d5a589260cd7a2cc42688dda5944215b68
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c43aa71f1636522145ea3e384b2546d5a589260cd7a2cc42688dda5944215b68/
Threat name:
Script-WScript.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2024-12-30 06:25:54 UTC
File Type:
Text (VBS)
AV detection:
11 of 23 (47.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yq5kohywgzjccrpkhy4ewjkg2wsysjqm26rmyqtirxnfsrbblnua._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost collection discovery execution rat
Link:
https://tria.ge/reports/241231-kceynatrcj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Blocklisted process makes network request
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Remcos
Remcos family
Malware Config
C2 Extraction:
154.216.18.62:2404
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
GuLoader
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/c43aa71f1636522145ea3e384b2546d5a589260cd7a2cc42688dda5944215b68

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Guloader_VBScript
Create hunting rule
Author:Ankit Anubhav - ankitanubhav.info
Description:Detects GuLoader/CloudEye VBScripts

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments