MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dcc73a1351b6b79d48f7b42a96edfb142ffe46f896e1ab9f412a615b1edd7c9b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dcc73a1351b6b79d48f7b42a96edfb142ffe46f896e1ab9f412a615b1edd7c9b
SHA3-384 hash: 8bfd8ae629cdb51f11fe9022dd7887a0e2d9da0dbb82d0c55be9a25875c0e190bf8f0902c1a38f41f5e83c0d95e9bfed
SHA1 hash: 9c50c26e8b2f9c9acfa3192385df88d3144f351c
MD5 hash: d693624e3d9614a0dc9cf5a5cd1bb8ef
humanhash: zulu-quebec-connecticut-lake
File name:Remittance Information (MT-103).vbs
Download: download sample
Signature GuLoader
Create hunting rule
File size:82'341 bytes
First seen:2022-01-24 14:37:35 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 1536:bfNRWSaRCjFp9onPdFAgTx00Y2uUaGA4MGymjgeIFJH4t:j/HlE5oYyEI3H4t
Threatray 14'020 similar samples on MalwareBazaar
TLSH T1DB831DA4DA19B4CC49F5AD8382061B7A32B8C41107607D6FFD9295F75B32BDB8B1EC24
Reporter James_inthe_box
Tags:GuLoader vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
368
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/221972/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.24821.30065.21340.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Result
Threat name:
FormBook GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/926391
Signature
C2 URLs / IPs found in malware configuration
Detected FormBook malware
Encrypted powershell cmdline option found
Found malware configuration
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Potential evasive VBS script found (sleep loop)
Potential malicious VBS script found (has network functionality)
Potential malicious VBS script found (suspicious strings)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Accessing WinAPI in PowerShell. Code Injection.
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Remote Thread Created
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 558870 Sample: Remittance Information (MT-... Startdate: 24/01/2022 Architecture: WINDOWS Score: 100 67 Found malware configuration 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 Yara detected GuLoader 2->71 73 12 other signatures 2->73 11 wscript.exe 2 2->11         started        process3 signatures4 85 VBScript performs obfuscated calls to suspicious functions 11->85 87 Wscript starts Powershell (via cmd or directly) 11->87 89 Very long command line found 11->89 91 Encrypted powershell cmdline option found 11->91 14 powershell.exe 25 11->14         started        process5 signatures6 95 Writes to foreign memory regions 14->95 97 Tries to detect Any.run 14->97 99 Hides threads from debuggers 14->99 17 ieinstal.exe 6 14->17         started        21 csc.exe 3 14->21         started        24 conhost.exe 14->24         started        process7 dnsIp8 51 bulkwhatsappsender.in 151.106.117.33, 443, 49820 PLUSSERVER-ASN1DE Germany 17->51 53 www.bulkwhatsappsender.in 17->53 75 Modifies the context of a thread in another process (thread injection) 17->75 77 Tries to detect Any.run 17->77 79 Maps a DLL or memory area into another process 17->79 81 3 other signatures 17->81 26 explorer.exe 3 17->26 injected 49 C:\Users\user\AppData\Local\...\5wwhq3bl.dll, PE32 21->49 dropped 30 cvtres.exe 1 21->30         started        file9 signatures10 process11 dnsIp12 55 www.dentalbatonrouge.com 108.175.14.116, 49846, 49847, 49848 ONEANDONE-ASBrauerstrasse48DE United States 26->55 57 www.yzicpa.com 26->57 93 System process connects to network (likely due to code injection or exploit) 26->93 32 svchost.exe 1 18 26->32         started        36 ieinstal.exe 26->36         started        38 ieinstal.exe 26->38         started        signatures13 process14 file15 45 C:\Users\user\AppData\...\K-Nlogrv.ini, data 32->45 dropped 47 C:\Users\user\AppData\...\K-Nlogri.ini, data 32->47 dropped 59 Detected FormBook malware 32->59 61 Tries to steal Mail credentials (via file / registry access) 32->61 63 Tries to harvest and steal browser information (history, passwords, etc) 32->63 65 3 other signatures 32->65 40 cmd.exe 2 32->40         started        signatures16 process17 signatures18 83 Tries to harvest and steal browser information (history, passwords, etc) 40->83 43 conhost.exe 40->43         started        process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dcc73a1351b6b79d48f7b42a96edfb142ffe46f896e1ab9f412a615b1edd7c9b/
Threat name:
Script-WScript.Trojan.Powload
Create hunting rule
Status:
Malicious
First seen:
2022-01-24 07:51:03 UTC
File Type:
Text (VBS)
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3tdtue2rw23z2shxwqvjn3p3cqx74rxys3q2xh2bfjqvwhw5psnq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
10aa7088156f972d7f44c8183c9b26c4ca290e5e1b92b59585a91b9946fb73e2
GuLoader
23c021ec87c8743ef23796c3bfe371298388b4ef72fc6249b29858dc50ece722
GuLoader
28323d3c8fd1339a7d4f0ebad6ff377545e88c15fdca9b2f21cdd7c72c07622e
GuLoader
37c61785c47820bbfd4198b8ff7c9db451bdde81371b5dde948b6aeab76a36bf
GuLoader
5c05ff860f7d421506e3e20e83b955a148ec9f4429313881d1c4f1bd22f58e3f
GuLoader
5e6d8684c3f71ca6a76d22d1ddc536f302738a3027d22a5b1ce1852c9c551d99
GuLoader
6403d40c99b5036c9410e11c11872bdceb1955da70a17bdb979cac381d09cc74
GuLoader
8392408d685d10ddf024a7e4f47976e03a00fd787bd4ee0932766c4b9b278bc0
GuLoader
9029cb23c3237afc1e63076ffba6a89ed9d4fec8df9606feebe68b2de092fa36
GuLoader
c6cbe14f336bc97cc4bf2db682cc36efc1b371f6cc45509ee347c29348903676
GuLoader
+ 14'010 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:guloader campaign:k6sm downloader persistence rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220124-rzrdjafbbp/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks QEMU agent file
Adds policy Run key to start application
Formbook Payload
Formbook
Guloader,Cloudeye
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/dcc73a1351b6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dcc73a1351b6b79d48f7b42a96edfb142ffe46f896e1ab9f412a615b1edd7c9b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/221972/

Comments