MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa55a0efc03c0f64de8c1775fb0ca1a744f7b4f91e4e7b32c93ebe1a9d3952f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fa55a0efc03c0f64de8c1775fb0ca1a744f7b4f91e4e7b32c93ebe1a9d3952f7
SHA3-384 hash: ae455be1f7146b2a5b0e893acc387e3bc757e9b6d1938c833d615a44421563a3d466471f317e3a592cf9cd6515e047c0
SHA1 hash: 59f4b7acaad937d9ab3c480ef8c40b381b5667d8
MD5 hash: 2e5d64396eddeee2053fd3fb446892ae
humanhash: lemon-september-uniform-gee
File name:HTMCDevalueringstidspunkts2024.vbs
Download: download sample
Signature GuLoader
Create hunting rule
File size:17'235 bytes
First seen:2024-04-21 10:58:28 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 384:EuM9nrXoI5tBVfopD/WMECfPKWCrsulNhbpFnOwlPnWu2:EteIvB5sD/WMECfFCNVm68
Threatray 539 similar samples on MalwareBazaar
TLSH T10E724AADEB8537628D8E2769FC50D641C9A401CE4C220199FE56834E21779ECA3BEF4D
Reporter abuse_ch
Tags:GuLoader vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
101
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
nemucod virus
Link:
https://www.filescan.io/uploads/6624f176b575a100a2317a60/reports/5b8bfca6-7cdb-43d0-aef0-479b455a9d87/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/fa55a0efc03c0f64de8c1775fb0ca1a744f7b4f91e4e7b32c93ebe1a9d3952f7
Result
Verdict:
MALICIOUS
Result
Threat name:
GuLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1429225
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected GuLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1429225 Sample: HTMCDevalueringstidspunkts2... Startdate: 21/04/2024 Architecture: WINDOWS Score: 100 40 jgbours284hawara01.duckdns.org 2->40 42 geoplugin.net 2->42 54 Snort IDS alert for network traffic 2->54 56 Multi AV Scanner detection for domain / URL 2->56 58 Found malware configuration 2->58 62 8 other signatures 2->62 11 wscript.exe 1 2->11         started        signatures3 60 Uses dynamic DNS services 40->60 process4 signatures5 64 VBScript performs obfuscated calls to suspicious functions 11->64 66 Suspicious powershell command line found 11->66 68 Wscript starts Powershell (via cmd or directly) 11->68 70 3 other signatures 11->70 14 powershell.exe 14 19 11->14         started        process6 dnsIp7 48 87.121.105.163, 49700, 49708, 80 NET1-ASBG Bulgaria 14->48 74 Suspicious powershell command line found 14->74 76 Very long command line found 14->76 78 Found suspicious powershell code related to unpacking or dynamic code loading 14->78 18 powershell.exe 17 14->18         started        21 conhost.exe 14->21         started        23 cmd.exe 1 14->23         started        signatures8 process9 signatures10 50 Writes to foreign memory regions 18->50 52 Found suspicious powershell code related to unpacking or dynamic code loading 18->52 25 wab.exe 5 15 18->25         started        30 cmd.exe 1 18->30         started        process11 dnsIp12 44 jgbours284hawara01.duckdns.org 45.88.90.110, 3050, 49709 LVLT-10753US Bulgaria 25->44 46 geoplugin.net 178.237.33.50, 49710, 80 ATOM86-ASATOM86NL Netherlands 25->46 38 C:\Users\user\AppData\Roaming\mvourhjs.dat, data 25->38 dropped 72 Installs a global keyboard hook 25->72 32 cmd.exe 1 25->32         started        file13 signatures14 process15 process16 34 conhost.exe 32->34         started        36 reg.exe 1 1 32->36         started       
Score:
98%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/fa55a0efc03c0f64de8c1775fb0ca1a744f7b4f91e4e7b32c93ebe1a9d3952f7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fa55a0efc03c0f64de8c1775fb0ca1a744f7b4f91e4e7b32c93ebe1a9d3952f7/
Threat name:
Script-WScript.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2024-04-19 10:02:52 UTC
File Type:
Text (VBS)
AV detection:
13 of 38 (34.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7jk2b36ahqhwjxumc527wdfbu5cppnhzdzhhwmwjh27bvhjzkl3q._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
20f56c766225ccd9d19edf9021ab2ce69071fb6ad80a69637fd9a7af02273a4a
GuLoader
39904c5d67aebdeb68b5bc799559dda7fe7bd9db166fd8dc72e7e4c0ce5d6491
GuLoader
66c25b056feae73374a9cb4db0469c94d0a1d2d91cfe09cad1e890e72d5bfb70
GuLoader
71a0db97867945fa69250aa55e3d997aaf11f5e401db8e59c87e7937e36343f0
GuLoader
8081e0bda5a4d7cf536969b1a62ec3d550d1f806e189ee4a6eb14524b4eb9c64
GuLoader
84176781043f8f95306328477f7b28fa721f44b1767fe740cbd207233c2a47c6
GuLoader
a731a3484aa2cde6c16d273b0838b664de71e45c498d6412dca328b457873248
GuLoader
d5d49fbe4f955416afe5db8c735638cedde326347757e8c57323305480568418
GuLoader
e3c50af5dfca67fd9af9530c801ef172bde856241cf6b2c8596421b9a7ae8882
GuLoader
ea38b6131bffa783cde57e659bf5aad8d7af08359e4d4a8be016f7f296bb3499
GuLoader
+ 529 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader persistence
Link:
https://tria.ge/reports/240421-m3djmahf9x/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Blocklisted process makes network request
Guloader,Cloudeye
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments