MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4b15c4c1ad3c5de9ded9964ee4313a5fd3023f222d98a2ea287727dcea19732. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f4b15c4c1ad3c5de9ded9964ee4313a5fd3023f222d98a2ea287727dcea19732
SHA3-384 hash: bbffdbc7822c746878660d6cd3c14d0fea55d74bb5e5296c3d2a89c6a6b4676fa9fb27274621a8aafce54e98d8cbe3ec
SHA1 hash: f8e4600b3691faf64eee50f2f2771ef65129c139
MD5 hash: 537c755e1e30beda54bf80f6412b0331
humanhash: may-music-fifteen-timing
File name:NewXinquiryXFBDX22XIPX020.vbs
Download: download sample
Signature GuLoader
Create hunting rule
File size:41'677 bytes
First seen:2022-11-17 13:51:52 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 768:9EmRncikL6FvJ3QrxSkw49Iq/osBEAmFcaea8Mp:rlQL6FvJ3OTDlREAccaeU
TLSH T196134CDE8B871599CB3A33E999891C404D6006A8E43904173ED1A78C1607DE9BBFB7BD
Reporter lowmal3
Tags:GuLoader vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
172
Origin country :
DE DE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/335338/
Detection(s):
SecuriteInfo.com.VBS.Obfus-184.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.VBS.Obfus-185.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.26618.JsHeur.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/63763c84f513af64a6450451/reports/fc7058c0-4b5c-41d6-b6ee-dfb43dc32fc2/overview
Result
Verdict:
UNKNOWN
Result
Threat name:
Remcos, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1115771
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Installs a global keyboard hook
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Obfuscated command line found
Potential malicious VBS script found (suspicious strings)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Remcos
Tries to detect Any.run
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Wscript starts Powershell (via cmd or directly)
Yara detected GuLoader
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 748480 Sample: NewXinquiryXFBDX22XIPX020.vbs Startdate: 17/11/2022 Architecture: WINDOWS Score: 100 59 Malicious sample detected (through community Yara rule) 2->59 61 Antivirus detection for URL or domain 2->61 63 Yara detected GuLoader 2->63 65 8 other signatures 2->65 8 wscript.exe 1 1 2->8         started        process3 signatures4 71 VBScript performs obfuscated calls to suspicious functions 8->71 73 Wscript starts Powershell (via cmd or directly) 8->73 75 Obfuscated command line found 8->75 77 Very long command line found 8->77 11 powershell.exe 15 24 8->11         started        16 cmd.exe 1 8->16         started        18 cmd.exe 1 8->18         started        process5 dnsIp6 53 drive.google.com 142.250.185.110, 443, 49701, 49703 GOOGLEUS United States 11->53 55 googlehosted.l.googleusercontent.com 142.250.185.97, 443, 49702, 49704 GOOGLEUS United States 11->55 57 doc-0c-3c-docs.googleusercontent.com 11->57 45 C:\Users\user\AppData\...\cw0ohqqc.cmdline, Unicode 11->45 dropped 79 Tries to detect Any.run 11->79 20 ieinstal.exe 5 17 11->20         started        25 csc.exe 3 11->25         started        27 conhost.exe 11->27         started        35 2 other processes 11->35 29 MpCmdRun.exe 1 16->29         started        31 conhost.exe 16->31         started        33 conhost.exe 18->33         started        file7 signatures8 process9 dnsIp10 47 139.28.36.170, 49705, 49707, 49708 FREEHOSTUA Ukraine 20->47 49 geoplugin.net 178.237.33.50, 49706, 80 ATOM86-ASATOM86NL Netherlands 20->49 51 3 other IPs or domains 20->51 41 C:\ProgramData\remcos\logs.dat, data 20->41 dropped 67 Tries to detect Any.run 20->67 69 Installs a global keyboard hook 20->69 43 C:\Users\user\AppData\Local\...\cw0ohqqc.dll, PE32 25->43 dropped 37 cvtres.exe 1 25->37         started        39 conhost.exe 29->39         started        file11 signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f4b15c4c1ad3c5de9ded9964ee4313a5fd3023f222d98a2ea287727dcea19732/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6syvyta22pc55hpntfso4qytux6tai7selmyulvcq5zh3tvbs4za._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
cloudeye
Create hunting rule
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost collection persistence rat
Link:
https://tria.ge/reports/221117-q6dkksee68/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Checks computer location settings
Blocklisted process makes network request
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
139.28.36.170:50197
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f4b15c4c1ad3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Guloader_VBScript
Create hunting rule
Author:Ankit Anubhav - ankitanubhav.info
Description:Detects GuLoader/CloudEye VBScripts
Rule name:OBFUS_PowerShell_Common_Replace
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the common usage of replace for obfuscation

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Visual Basic Script (vbs) vbs f4b15c4c1ad3c5de9ded9964ee4313a5fd3023f222d98a2ea287727dcea19732

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/335338/

Comments