MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e5120ba9e08623e6f047e1c50aacc2787631e53d8fd547f5d45cd7af81fd7494. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e5120ba9e08623e6f047e1c50aacc2787631e53d8fd547f5d45cd7af81fd7494
SHA3-384 hash: fdf4e09ee06b75e19623e0973a4a839d51706f033f19b6397652de39020774bdbc206895113c0cdddef645bddb124b29
SHA1 hash: 4392acde6197c2654cb30e8765f9d1f5a5399636
MD5 hash: 3fb83cfc1f2ae8ea6239604090239b9e
humanhash: winner-mobile-lemon-juliet
File name:Conferma di pagamento 14.11.2022.vbs
Download: download sample
Signature GuLoader
Create hunting rule
File size:245'634 bytes
First seen:2022-11-14 10:36:12 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 3072:1rfcnVrMRKii+Mfdoedp+Kg+M4300kjwYQLDvNsTidbqEUF+0bs8+8h+J9:wrBii+Ol+KgorkFQ3ljE+zgu
Threatray 18'592 similar samples on MalwareBazaar
TLSH T12734C17C0702D9E1F7DF70AACC140A889DD88BE38E30049BB57152B5AEB769C47517EA
Reporter JAMESWT_WT
Tags:GuLoader vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
115
Origin country :
IT IT
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/333687/
Detection(s):
SecuriteInfo.com.VBS.Obfus-184.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.VBS.Obfus-185.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/63721a502445ecec3cc49b5c/reports/c13b53a6-9b4e-4d69-8844-a8e829d54164/overview
Result
Verdict:
UNKNOWN
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1112773
Signature
Antivirus detection for URL or domain
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Obfuscated command line found
Potential malicious VBS script found (suspicious strings)
Sigma detected: Dot net compiler compiles file from suspicious location
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Wscript starts Powershell (via cmd or directly)
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 745469 Sample: Conferma di pagamento 14.11... Startdate: 14/11/2022 Architecture: WINDOWS Score: 100 38 Snort IDS alert for network traffic 2->38 40 Multi AV Scanner detection for domain / URL 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 7 other signatures 2->44 8 wscript.exe 1 1 2->8         started        process3 signatures4 48 VBScript performs obfuscated calls to suspicious functions 8->48 50 Wscript starts Powershell (via cmd or directly) 8->50 52 Obfuscated command line found 8->52 54 Very long command line found 8->54 11 powershell.exe 23 8->11         started        15 cmd.exe 1 8->15         started        process5 file6 34 C:\Users\user\AppData\...\4dxlacvb.cmdline, Unicode 11->34 dropped 56 Tries to detect Any.run 11->56 17 CasPol.exe 7 11->17         started        21 csc.exe 3 11->21         started        24 conhost.exe 11->24         started        26 CasPol.exe 11->26         started        28 conhost.exe 15->28         started        signatures7 process8 dnsIp9 36 finiery.tk 109.123.244.194, 80 CASABLANCA-ASInternetCollocationProviderCZ Czech Republic 17->36 46 Tries to detect Any.run 17->46 32 C:\Users\user\AppData\Local\...\4dxlacvb.dll, PE32 21->32 dropped 30 cvtres.exe 1 21->30         started        file10 signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e5120ba9e08623e6f047e1c50aacc2787631e53d8fd547f5d45cd7af81fd7494/
Threat name:
Script-WScript.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2022-11-14 06:55:17 UTC
File Type:
Text (VBS)
AV detection:
13 of 41 (31.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4ujaxkpaqyr6n4ch4hcqvlgcpb3ddzj5r7kup5oultl27ap5oska._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
2eafbf195ee3064026099a6f5f6c78aaaae170c9fb81a5f49f501bf0f061cfd4
GuLoader
678f361d622c482253df9b834e978f8f3ca254fc5549381817dc75431005a047
GuLoader
75b6589abb41cfee6bd7a5bf66237e679d7f7a2039bb244d02c9faf1d68fb39f
GuLoader
7b2bcaa3723a8198c9a6f0878b77c7887554079e77e5c9b8f444570be1d744f6
GuLoader
8f6e203a52757cdb71ffbf15b696f0518f17862579863e139af08fafe1e1feb6
GuLoader
948eced5fa27e7fc39b404778a20a98d2614158f4f54f1d151de933066045b10
GuLoader
c34fbe5bb7db1716d8933f17bfa914066508430c5b89c040aeccca2df4d788c7
GuLoader
e49d8e1e806d3ce84d2f58c6b4e048e69816bfb199a6b427fd207a59fa2e93fb
GuLoader
fae3f9e1c610097417ce7aa81207f2fea0538a5688c8e2ddf3b3b50172a7fe43
GuLoader
+ 18'582 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/221114-mns1rsgg53/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks QEMU agent file
Checks computer location settings
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e5120ba9e086/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:Guloader_VBScript
Create hunting rule
Author:Ankit Anubhav - ankitanubhav.info
Description:Detects GuLoader/CloudEye VBScripts

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/333687/

Comments