Concrete signature match: Trojan - Appears legitimate but performs malicious actions for VBScript platform, family GuLoader
This detection identifies a VBScript downloader belonging to the GuLoader malware family. GuLoader's primary function is to evade initial security controls to download and execute more dangerous secondary payloads, such as information stealers, ransomware, or remote access trojans. The !MTB suffix signifies that it was identified through machine learning-based behavioral analysis.
Relevant strings associated with this threat: - byretsdommeres.exe (PEHSTR_EXT) - kirkegange\baltheus\digression (PEHSTR_EXT) - Precosmically\multihead (PEHSTR_EXT) - %seacross%\solcreme (PEHSTR_EXT) - \nooky\Concolour.ini (PEHSTR_EXT) - \spermatia (PEHSTR_EXT)
2a37fe6d5c63af1e034500ba56ed6ca4426365fdf25d1a9caa525cc7b5b56bf48731f4511d814822155a320ad04518faf8ce5fe78ac609e29395b229d9b99856163222800e8dcf38c0d10b89ba54f3bb566ddc0ea0063020d51b757585b14612Immediately isolate the affected host from the network to prevent further compromise. Use antivirus software to perform a full system scan and remove all detected components. Since GuLoader downloads other malware, investigate for persistence and secondary payloads, change all user credentials, and consider re-imaging the system.