MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16e10519af870b3333a6d37a823a9846a4c7a0b7caa5d35acf683ae31ae4e5b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 9

Intelligence 9 IOCs YARA 12 File information Comments

SHA256 hash:	16e10519af870b3333a6d37a823a9846a4c7a0b7caa5d35acf683ae31ae4e5b8
SHA3-384 hash:	b1a2603c9a57b37bd82eb1c359776215a89db29677abb7cc5ae1b8701de469200b943f0ce032513d95c7337241b4976b
SHA1 hash:	683d7425cd81620e036ac7491e2a7712209b8e11
MD5 hash:	c2873a7fe2c49d6b51931b893409be04
humanhash:	xray-harry-montana-texas
File name:	16e10519af870b3333a6d37a823a9846a4c7a0b7caa5d35acf683ae31ae4e5b8
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	786'856 bytes
First seen:	2026-06-08 09:22:46 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	573bb7b41bc641bd95c0f5eec13c233b (49 x GuLoader, 31 x RemcosRAT, 18 x AgentTesla)
ssdeep	24576:obudKXDY/adczFCmC5uENNSMtubw7uNQ5yprVD:6udKM2GFxkTJmw7QprR
TLSH	T1AFF41282BE74A655D6A0CE3164BD593C4B3AEFBBE648150B3180BF0A78F715F550BE02
TrID	50.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 10.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 10.5% (.EXE) Win64 Executable (generic) (6522/11/2) 8.1% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
dhash icon	60e8dcccccc4e2e2 (2 x GuLoader)
Reporter	adrian__luca
Tags:	exe GuLoader

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

NSIS

Details

Link:

https://research.acce.ciphertechsolutions.com/results/e67358ea-ffdd-4689-a958-a39fba4e1a09/

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/69746/

Verdict:

Malicious

Score:

95.7%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a268a3c3e9eff6a6b68b912

Tags:

injection vmdetect obfusc virus

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Searching for synchronization primitives

Searching for the window

Creating a file in the %AppData% subdirectories

Delayed reading of the file

Creating a file in the %temp% subdirectories

Unauthorized injection to a recently created process

Restart of the analyzed sample

Launching the default Windows debugger (dwwin.exe)

Verdict:

Unknown

Threat level:

2.5/10

Confidence:

100%

Tags:

adaptive-context anti-debug anti-vm evasive fingerprint installer installer installer-heuristic microsoft_visual_cc nsis reconnaissance signed smb

Link:

https://www.filescan.io/uploads/6a268a441f652d68656db6a6/reports/0515fc31-0e47-41db-be10-82035ab67b83/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/16e10519af870b3333a6d37a823a9846a4c7a0b7caa5d35acf683ae31ae4e5b8

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-05-08T00:59:00Z UTC

Last seen:

2026-06-10T05:55:00Z UTC

Hits:

~1000

Link:

https://opentip.kaspersky.com/16e10519af870b3333a6d37a823a9846a4c7a0b7caa5d35acf683ae31ae4e5b8/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/b8fe20fd-a74e-4e4b-96c7-6dbf09301cb8

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/16e10519af870b3333a6d37a823a9846a4c7a0b7caa5d35acf683ae31ae4e5b8

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/16e10519af870b3333a6d37a823a9846a4c7a0b7caa5d35acf683ae31ae4e5b8/

Threat name:

Win32.Trojan.Sonbokli

Status:

Malicious

First seen:

2026-05-08 04:22:13 UTC

AV detection:

14 of 24 (58.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=c3qqkgnpq4ftgm5g2n5ieouyi2smpifxzks5gwwpna5oggxe4w4a._file

Result

Malware family:

guloader

Score:

10/10

Tags:

family:guloader discovery downloader

Link:

https://tria.ge/reports/260608-lcz49sbz6x/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Drops file in Windows directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Loads dropped DLL

Family: Guloader,Cloudeye

Unpacked files

SH256 hash:

16e10519af870b3333a6d37a823a9846a4c7a0b7caa5d35acf683ae31ae4e5b8

MD5 hash:

c2873a7fe2c49d6b51931b893409be04

SHA1 hash:

683d7425cd81620e036ac7491e2a7712209b8e11

Link:

https://www.unpac.me/results/352e5872-4b8b-4e3a-a032-32376d951c3f/

SH256 hash:

8b4c47c4cf5e76ec57dd5a050d5acd832a0d532ee875d7b44f6cdaf68f90d37c

MD5 hash:

9b38a1b07a0ebc5c7e59e63346ecc2db

SHA1 hash:

97332a2ffcf12a3e3f27e7c05213b5d7faa13735

Link:

https://www.unpac.me/results/352e5872-4b8b-4e3a-a032-32376d951c3f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/16e10519af870b3333a6d37a823a9846a4c7a0b7caa5d35acf683ae31ae4e5b8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	Detect_NSIS_Nullsoft_Installer Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects NSIS installers by .ndata section + NSIS header string

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	telebot_framework Create hunting rule
Author:	vietdx.mb

Rule name:	TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE Create hunting rule
Author:	CYFARE
Description:	Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:	https://cyfare.net/

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

Rule name:	Win_FakeInstaller_PythonShellcodeLoader_Crepectl_2026 Create hunting rule
Author:	SixHands
Description:	Detects the analyzed fake installer sample using .key config, XOR key, and Python/fiber shellcode loader traits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/69746/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample