MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce71b196e2d2e471973112e9ed9b9765927419eb31eb582786e0d022cd14af62. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ce71b196e2d2e471973112e9ed9b9765927419eb31eb582786e0d022cd14af62
SHA3-384 hash: 85544305397fd655a09efb412a7028025c118d9704f2723a246bf5329b0ab53edfe3119f35f5428a7d0598825f6df268
SHA1 hash: 37466c9e52be071a2b9bb4606f358a7cbb05d0dc
MD5 hash: a485f9c22bb28feb62d01c63e1cd9faa
humanhash: eleven-tango-pluto-magnesium
File name:IEexplore.hta
Download: download sample
Signature GuLoader
Create hunting rule
File size:204'229 bytes
First seen:2024-08-09 17:31:00 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 768:tZ6A3yXNA0AGAuKMPjeSssA00SrsxDunbQiXAZO:tpsT
TLSH T10E145957D203F579DB5348FBEA7CAF9113D09E8ACE8C964F40AE44599BD0ADB720C086
Reporter NDA0E
Tags:GuLoader hta RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
128
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.JS.Obfus-360.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.JS.Obfus-95.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66b65257b35234d5cc65c347
Tags:
Execution Exploit Generic Network Stealth Trojan
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/ce71b196e2d2e471973112e9ed9b9765927419eb31eb582786e0d022cd14af62/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Unknown
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/66b6525ae565ee98cf3e1670/reports/3a62d31d-e132-47dd-a0ea-7afca5a00dda/overview
Verdict:
Malicious
Labled as:
VBS.Asthma.2.CAAE91FA
Link:
https://www.hybrid-analysis.com/sample/ce71b196e2d2e471973112e9ed9b9765927419eb31eb582786e0d022cd14af62
Result
Verdict:
MALICIOUS
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
Cobalt Strike, GuLoader
Create hunting rule
Detection:
malicious
Classification:
phis.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1490759
Signature
AI detected suspicious sample
Antivirus detection for URL or domain
Detected Cobalt Strike Beacon
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious command line found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Yara detected GuLoader
Yara detected obfuscated html page
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1490759 Sample: IEexplore.hta Startdate: 09/08/2024 Architecture: WINDOWS Score: 100 64 euro-fier-vechi.ro 2->64 80 Antivirus detection for URL or domain 2->80 82 Multi AV Scanner detection for dropped file 2->82 84 Multi AV Scanner detection for submitted file 2->84 86 9 other signatures 2->86 13 mshta.exe 1 2->13         started        signatures3 process4 signatures5 102 Suspicious command line found 13->102 104 PowerShell case anomaly found 13->104 16 cmd.exe 1 13->16         started        process6 signatures7 70 Detected Cobalt Strike Beacon 16->70 72 Suspicious powershell command line found 16->72 74 PowerShell case anomaly found 16->74 19 powershell.exe 45 16->19         started        24 conhost.exe 16->24         started        process8 dnsIp9 66 23.94.239.112, 49704, 80 AS-COLOCROSSINGUS United States 19->66 52 C:\Users\user\AppData\Roaming\sahosts.exe, PE32 19->52 dropped 54 C:\Users\user\AppData\Local\...\sahost[1].exe, PE32 19->54 dropped 56 C:\Users\user\AppData\...\fg1d3kmr.cmdline, Unicode 19->56 dropped 88 Found suspicious powershell code related to unpacking or dynamic code loading 19->88 90 Loading BitLocker PowerShell Module 19->90 92 Powershell drops PE file 19->92 26 sahosts.exe 1 20 19->26         started        30 csc.exe 3 19->30         started        file10 signatures11 process12 file13 58 C:\Users\user\AppData\...\opencv_ml2410.dll, PE32+ 26->58 dropped 60 C:\Users\user\AppData\...\Fikserbilleders.Suv, ASCII 26->60 dropped 96 Multi AV Scanner detection for dropped file 26->96 98 Detected Cobalt Strike Beacon 26->98 100 Suspicious powershell command line found 26->100 32 powershell.exe 19 26->32         started        62 C:\Users\user\AppData\Local\...\fg1d3kmr.dll, PE32 30->62 dropped 36 cvtres.exe 1 30->36         started        signatures14 process15 file16 50 C:\Users\user\AppData\Local\...\sahosts.exe, PE32 32->50 dropped 76 Writes to foreign memory regions 32->76 78 Hides threads from debuggers 32->78 38 wab.exe 2 13 32->38         started        42 conhost.exe 32->42         started        signatures17 process18 dnsIp19 68 euro-fier-vechi.ro 188.214.214.160, 443, 49713, 49714 GTSCEGTSCentralEuropeAntelGermanyCZ Romania 38->68 94 Hides threads from debuggers 38->94 44 cmd.exe 1 38->44         started        signatures20 process21 process22 46 conhost.exe 44->46         started        48 reg.exe 1 1 44->48         started       
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/ce71b196e2d2e471973112e9ed9b9765927419eb31eb582786e0d022cd14af62
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ce71b196e2d2e471973112e9ed9b9765927419eb31eb582786e0d022cd14af62/
Threat name:
Document-HTML.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2024-08-09 06:20:37 UTC
File Type:
Text (JavaScript)
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zzy3dfxc2lshdfzrclu63g4xmwjhigplghvvqj4g4dicftiuv5ra._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery execution persistence
Link:
https://tria.ge/reports/240809-v3pkwstbnj/
Behaviour
Modifies Internet Explorer settings
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Evasion via Device Credential Deployment
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ce71b196e2d2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
GuLoader
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/ce71b196e2d2e471973112e9ed9b9765927419eb31eb582786e0d022cd14af62

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Excel file xls e2f8064a2b3a3b4a04f874a8666cddc6cfdf1159e487f88f225baa22f0c2efef

GuLoader

HTML Application (hta) hta ce71b196e2d2e471973112e9ed9b9765927419eb31eb582786e0d022cd14af62

(this sample)

GuLoader

Executable exe 61dcfda4694ea3f6bafab018feb9cbcaced299f1996b4a7adaf79a3a81cc788d

  
Dropped by
SHA256 e2f8064a2b3a3b4a04f874a8666cddc6cfdf1159e487f88f225baa22f0c2efef
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3098008/
  
URLhaus
https://urlhaus.abuse.ch/url/3098010/
  
Dropping
SHA256 61dcfda4694ea3f6bafab018feb9cbcaced299f1996b4a7adaf79a3a81cc788d
  
Dropping
MD5 9cef532829a4ca2cf13279ac134873d8
  
Dropped by
MD5 51a384c21f19b18a4fd736d1d8411136

Comments