MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d167c08baf19919551b1731763974baa43a7193cfaf4704d754308d53bdb2b5e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d167c08baf19919551b1731763974baa43a7193cfaf4704d754308d53bdb2b5e
SHA3-384 hash: a117a7671b8be5d56ed7072e6a9e2a9f4970a9cb26cf8bcbbeaa654de11b371bd28e1745f5a628bfe75b917aa11703c9
SHA1 hash: b8e6402082631c775d686872e4da7fe40614d6c8
MD5 hash: 2bc5747794b3dc8c3b5b1a72814bb15a
humanhash: freddie-monkey-west-low
File name:MCC-NEWORDER_73FILE_KEY_323033.vbs
Download: download sample
Signature GuLoader
Create hunting rule
File size:34'665 bytes
First seen:2023-05-08 18:25:39 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 768:HXue841+3x4KoDRjbQPq62EHeXhsdrayGmibPJQkFYwUZ:HXuW+3512E+X+9LchFLG
Threatray 1'421 similar samples on MalwareBazaar
TLSH T1E2F2D2628DC51239096712F79A0A0934F87B00FB513528BFAD1DB7798A817187E3F57B
Reporter abuse_ch
Tags:GuLoader vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
137
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/387594/
Detection(s):
SecuriteInfo.com.VBS.DownLoader.2718.21794.6468.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/64593ebe36a9691aaede4aed/reports/f9335094-4d6c-4fce-bef2-fcc13909dbb7/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/d167c08baf19919551b1731763974baa43a7193cfaf4704d754308d53bdb2b5e
Result
Verdict:
UNKNOWN
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1228571
Signature
C2 URLs / IPs found in malware configuration
Detected FormBook malware
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Steal Google chrome login data
Tries to detect Any.run
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Wscript starts Powershell (via cmd or directly)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 861531 Sample: MCC-NEWORDER_73FILE_KEY_323... Startdate: 08/05/2023 Architecture: WINDOWS Score: 100 58 www.firmshopee.com 2->58 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 Sigma detected: Steal Google chrome login data 2->68 70 4 other signatures 2->70 13 wscript.exe 1 2->13         started        signatures3 process4 signatures5 88 VBScript performs obfuscated calls to suspicious functions 13->88 90 Wscript starts Powershell (via cmd or directly) 13->90 16 powershell.exe 15 17 13->16         started        process6 dnsIp7 56 cadesh.ca 162.210.96.124, 443, 49708, 49709 STEADFASTUS United States 16->56 62 Very long command line found 16->62 20 powershell.exe 16->20         started        22 conhost.exe 16->22         started        signatures8 process9 process10 24 ieinstal.exe 6 20->24         started        28 cmd.exe 1 20->28         started        30 cmd.exe 1 20->30         started        32 68 other processes 20->32 dnsIp11 60 cadesh.ca 24->60 80 Modifies the context of a thread in another process (thread injection) 24->80 82 Tries to detect Any.run 24->82 84 Maps a DLL or memory area into another process 24->84 86 2 other signatures 24->86 34 explorer.exe 7 5 24->34 injected signatures12 process13 process14 36 cscript.exe 34->36         started        40 ieinstal.exe 34->40         started        42 ieinstal.exe 34->42         started        file15 50 C:\Users\user\AppData\...\LK8logrv.ini, data 36->50 dropped 52 C:\Users\user\AppData\...\LK8logri.ini, data 36->52 dropped 72 Detected FormBook malware 36->72 74 Tries to steal Mail credentials (via file / registry access) 36->74 76 Tries to harvest and steal browser information (history, passwords, etc) 36->76 78 3 other signatures 36->78 44 cmd.exe 36->44         started        signatures16 process17 file18 54 C:\Users\user\AppData\Local\Temp\DB1, SQLite 44->54 dropped 92 Tries to harvest and steal browser information (history, passwords, etc) 44->92 48 conhost.exe 44->48         started        signatures19 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d167c08baf19919551b1731763974baa43a7193cfaf4704d754308d53bdb2b5e/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2ft4bc5pdgizkunromlwhf2lvjb2ogj47l2hatlvimenko63fnpa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0b89806418ec582854a24adb93fba607c7f27938f2b653a081aefd1a5e419e4f
GuLoader
2d3c7fefde60268ec96906144d74058651f6d5d7ed5993a8b1ed00ca40a2d7f0
GuLoader
3c7e3789b58b388a933c51740bcdc44c6a46bdaca5969e46b6b183294f470bd3
GuLoader
5165efed390a7710ab87e8256f51ec07dbc9b63e8cf55e104a9230530b813cb0
GuLoader
615349f7344705307b2316dee1177a887390195e85d692069fb2c74def5a4ece
GuLoader
8a8bd03d6e56297acd34652142a5cb999089c75e28decf038c43eeccc14158ba
GuLoader
93e9640423fb4afef5c9255f3489af80b7961696350cf0c30cb295711bb50a8e
GuLoader
ca36938bca50bc95f123c86a7c886b2da3add6b082b31146bbfae46ddccc473c
GuLoader
f14965866d8a9a8c9a12cb2bef6c0cf53e72cbf7f8f61477b42f7aa4f9b417be
GuLoader
fd1e8b3716764f552b7350c4612cfc64b152ded240b6f2a38426d43efeabc7b2
GuLoader
+ 1'411 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:guloader campaign:wt67 downloader persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/230508-w269zsdh2y/
Behaviour
Gathers network information
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks QEMU agent file
Checks computer location settings
Reads user/profile data of web browsers
Adds policy Run key to start application
Blocklisted process makes network request
Formbook payload
Formbook
Guloader,Cloudeye
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d167c08baf19/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d167c08baf19919551b1731763974baa43a7193cfaf4704d754308d53bdb2b5e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Visual Basic Script (vbs) vbs d167c08baf19919551b1731763974baa43a7193cfaf4704d754308d53bdb2b5e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/387594/

Comments