MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e49d8e1e806d3ce84d2f58c6b4e048e69816bfb199a6b427fd207a59fa2e93fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e49d8e1e806d3ce84d2f58c6b4e048e69816bfb199a6b427fd207a59fa2e93fb
SHA3-384 hash: 0c6162e0692c8e494c333e016e3a33201e803ff39b7ffb7929dd4cae07e725c747e2e20ec6909ac2a2d59023a9749828
SHA1 hash: 4090b9776175d760b53501ffbe1ae1f29763be08
MD5 hash: ec05abb52930d7039a9bac3c9ba75abc
humanhash: spaghetti-apart-connecticut-fanta
File name:Bennes64.vbs
Download: download sample
Signature GuLoader
Create hunting rule
File size:227'201 bytes
First seen:2022-11-09 07:11:32 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 3072:jj6N1063eSVUFQ3IOX8jX8ul1s1NVXyJBNAoeT1u2VHYo1t/G:jj6pP4D8uUpXyJByjd/G
Threatray 3'545 similar samples on MalwareBazaar
TLSH T1E124BEAF9B203B510D485E2BA7CA1C0BDD607E6F3644475F02A81B431F16371BB976AB
Reporter abuse_ch
Tags:GuLoader vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/331038/
Detection(s):
SecuriteInfo.com.HEUR.Trojan.VBS.SAgent.gen.26524.11036.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
evasive
Link:
https://www.filescan.io/uploads/636b52c982dd9f2e26531c4d/reports/eee0699e-0877-46eb-94df-423fa8ed4181/overview
Result
Verdict:
MALICIOUS
Result
Threat name:
AgentTesla, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1109052
Signature
Antivirus detection for URL or domain
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Multi AV Scanner detection for domain / URL
Obfuscated command line found
Potential malicious VBS script found (suspicious strings)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Dot net compiler compiles file from suspicious location
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 741795 Sample: Bennes64.vbs Startdate: 09/11/2022 Architecture: WINDOWS Score: 100 45 onedrive.live.com 2->45 47 mail.focuzpartsmart.com 2->47 49 4 other IPs or domains 2->49 59 Multi AV Scanner detection for domain / URL 2->59 61 Antivirus detection for URL or domain 2->61 63 Yara detected GuLoader 2->63 65 5 other signatures 2->65 9 wscript.exe 1 1 2->9         started        12 Bdklz.exe 2 2->12         started        14 Bdklz.exe 1 2->14         started        signatures3 process4 signatures5 67 Wscript starts Powershell (via cmd or directly) 9->67 69 Obfuscated command line found 9->69 71 Very long command line found 9->71 16 powershell.exe 25 9->16         started        20 cmd.exe 1 9->20         started        22 conhost.exe 12->22         started        24 conhost.exe 14->24         started        process6 file7 39 C:\Users\user\AppData\...\n2eb1mqm.cmdline, Unicode 16->39 dropped 57 Tries to detect Any.run 16->57 26 CasPol.exe 2 13 16->26         started        31 csc.exe 3 16->31         started        33 conhost.exe 16->33         started        35 conhost.exe 20->35         started        signatures8 process9 dnsIp10 51 mail.focuzpartsmart.com 162.240.214.202, 26, 49849 UNIFIEDLAYER-AS-1US United States 26->51 53 l-0003.l-dc-msedge.net 13.107.43.12, 443, 49845 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 26->53 55 l-0004.l-dc-msedge.net 13.107.43.13, 443, 49844 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 26->55 41 C:\Users\user\AppData\Roaming\...\Bdklz.exe, PE32 26->41 dropped 73 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 26->73 75 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 26->75 77 Tries to steal Mail credentials (via file / registry access) 26->77 79 5 other signatures 26->79 43 C:\Users\user\AppData\Local\...\n2eb1mqm.dll, PE32 31->43 dropped 37 cvtres.exe 1 31->37         started        file11 signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e49d8e1e806d3ce84d2f58c6b4e048e69816bfb199a6b427fd207a59fa2e93fb/
Threat name:
Script-WScript.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2022-11-09 05:45:32 UTC
File Type:
Text (VBS)
AV detection:
11 of 26 (42.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4soy4huanu6oqtjplddljyci42mbnp5rtgtlij75eb5ft6rosp5q._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
2eafbf195ee3064026099a6f5f6c78aaaae170c9fb81a5f49f501bf0f061cfd4
GuLoader
39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6
GuLoader
678f361d622c482253df9b834e978f8f3ca254fc5549381817dc75431005a047
GuLoader
6d6ebf1870d5d9c6bfebdc9fee3a3f381f86b32770f34df41364f905a489486c
GuLoader
7b2bcaa3723a8198c9a6f0878b77c7887554079e77e5c9b8f444570be1d744f6
GuLoader
8f6e203a52757cdb71ffbf15b696f0518f17862579863e139af08fafe1e1feb6
GuLoader
948eced5fa27e7fc39b404778a20a98d2614158f4f54f1d151de933066045b10
GuLoader
e1dcadc94c7659b12eca375e35858bf68ea02a626078dd5e41eb9bede572417c
GuLoader
+ 3'535 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/221109-h1jweagcgm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e49d8e1e806d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e49d8e1e806d3ce84d2f58c6b4e048e69816bfb199a6b427fd207a59fa2e93fb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:WScript_Shell_PowerShell_Combo_RID32E7
Create hunting rule
Author:Florian Roth
Description:Detects malware from Middle Eastern campaign reported by Talos
Reference:http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Visual Basic Script (vbs) vbs e49d8e1e806d3ce84d2f58c6b4e048e69816bfb199a6b427fd207a59fa2e93fb

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/331038/

Comments