user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:VBS/GuLoader.RSY!MTB
Trojan:VBS/GuLoader.RSY!MTB - Windows Defender threat signature analysis

Trojan:VBS/GuLoader.RSY!MTB - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:VBS/GuLoader.RSY!MTB
Classification:
Type:Trojan
Platform:VBS
Family:GuLoader
Detection Type:Concrete
Known malware family with identified signatures
Variant:RSY
Specific signature variant within the malware family
Suffix:!MTB
Detected via machine learning and behavioral analysis
Detection Method:Behavioral
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for VBScript platform, family GuLoader

Summary:

This threat is a VBScript downloader from the GuLoader family. Its primary function is to download and execute a secondary, more malicious payload, such as an information stealer or remote access trojan. The detection was triggered by machine learning behavioral analysis observing the script's attempt to execute a payload like 'aquaduct.exe'.

Severity:
Medium
VDM Static Detection:
Relevant strings associated with this threat:
 - infeasibilities aquaduct.exe (PEHSTR_EXT)
No specific strings found for this threat
YARA Rule:
rule Trojan_Win32_GuLoader_RSY_2147934560_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Trojan:Win32/GuLoader.RSY!MTB"
        threat_id = "2147934560"
        type = "Trojan"
        platform = "Win32: Windows 32-bit platform"
        family = "GuLoader"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "5"
        strings_accuracy = "High"
    strings:
        $x_1_1 = "ethanim pig domsudskrift" ascii //weight: 1
        $x_1_2 = "bombyciform fljlerne sesquiduple" ascii //weight: 1
        $x_1_3 = "formaalsls frues melanie" ascii //weight: 1
        $x_1_4 = "fladbarmet" ascii //weight: 1
        $x_1_5 = "infeasibilities aquaduct.exe" ascii //weight: 1
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}
Known malware which is associated with this threat:
187c46bb2c04db37c266164e10d76305966f881901a784bf7c74ef99dcbb3fd9
09/11/2025
VirusTotalDownload Sample
4c799d06e05ed575524fc6fc718bd8ff1814d66bdc96cddf93bd77a7d47131f6
09/11/2025
VirusTotalDownload Sample
cdc3073ab709cf2284bde59c6927a44712b6c6b59a81fc79d45a51753a90e95d
09/11/2025
VirusTotalDownload Sample
f36fa0d933bc573a7d37d5dfcf503fd6d47ee5294dbb2fcfc4f8c6bf4d67e152
09/11/2025
VirusTotalDownload Sample
Remediation Steps:
Isolate the affected machine from the network. Ensure Windows Defender has removed the VBS file and run a full system scan to detect any secondary payloads. Investigate for persistence mechanisms (e.g., scheduled tasks, registry run keys) and reset passwords for accounts used on the machine.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 09/11/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$