MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5288a90e3ffc7fb7c13e74849005440fdf35467f2102cf4a49ae1b9bc18ec8d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5288a90e3ffc7fb7c13e74849005440fdf35467f2102cf4a49ae1b9bc18ec8d0
SHA3-384 hash: 7e32ba3d50a39c97efe1b8fec2c27140f68189cbda1939beb2be555eb8d5777430e7341135c8aa44994fde69304db03d
SHA1 hash: c9a9e785c86ccafa269bccb3eef0f4184f5b4f52
MD5 hash: bcb25e849b08dd7ad7ec5c70c5b31181
humanhash: lamp-speaker-lake-december
File name:SecuriteInfo.com.Gen.Variant.Nemesis.26006.9083.10756
Download: download sample
Signature GuLoader
Create hunting rule
File size:891'384 bytes
First seen:2023-08-01 11:40:19 UTC
Last seen:2023-08-02 06:31:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1f23f452093b5c1ff091a2f9fb4fa3e9 (274 x GuLoader, 36 x RemcosRAT, 23 x AgentTesla)
ssdeep 24576:Yb/7VRbJ/EfVP9+r3iKRmj9FNCOWmqgnapUOVSMcT+:gJ/Ef2rSK0j9FoOWmqgap/VSMca
Threatray 613 similar samples on MalwareBazaar
TLSH T17F1533211F60AA77DF529AB021BB68218BB2D511243C575B0B152FAFE912F811FBC35F
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter SecuriteInfoCom
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2022-11-13T02:47:58Z
Valid to:2025-11-12T02:47:58Z
Serial number: 3ba344e66ac3341b1cac18abc3eebd4d701d72b5
Thumbprint Algorithm:SHA256
Thumbprint: 4bd9e83550861a9e0dd4132cfd4353f010c217ef4e624b20ac39366d301c17fc
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
275
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Gen.Variant.Nemesis.26006.9083.10756
Verdict:
Malicious activity
Analysis date:
2023-08-01 11:41:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/894bddaf-74e2-4ec1-b750-f8a961455be1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/439591/
Detection(s):
SecuriteInfo.com.Gen.Variant.Nemesis.26006.9083.10756.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a file
Delayed reading of the file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/64c8ef4e2e037e88653f8df6/reports/50f95a36-443a-4c19-998a-c9ed8f8717ca/overview
Verdict:
Malicious
Labled as:
Trojan/NSIS.XG41
Link:
https://www.hybrid-analysis.com/sample/5288a90e3ffc7fb7c13e74849005440fdf35467f2102cf4a49ae1b9bc18ec8d0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e9c396f2-3461-4ccd-9fcd-b903be6efb30
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1283692
Signature
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5288a90e3ffc7fb7c13e74849005440fdf35467f2102cf4a49ae1b9bc18ec8d0/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2023-08-01 09:24:42 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
20 of 37 (54.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kkeksdr77r73pqj6oscjabkeb7ptkrt7eebm6ssjvynzxqmozdia._file
Verdict:
unknown
Similar samples:
1a6a26126907eba868eb76873864deedc4170c3da63c3bce70d7fe0d9adaeece
GuLoader
2dc3154ffa4a3fc2533b7b221f215b41d6c21b70acb780fa8f46b212cb798b94
GuLoader
4dcf685ec146dd3a0b5cf5869bbda64af27223b16963e629df4f6103c8537208
GuLoader
59513bfeaf670993430990ea716bf0f17472ee43169c1722350e345066f0e337
GuLoader
7fa4a11b501e03019ad7b90d08c297554cd7c5e9b49de7aacfba190db630e5a4
GuLoader
9c21b977acef57ad64a9b518f1469b60e5d566cb1d5a89b245b975157f7c8aa4
GuLoader
b17de6384fa619dff0fe5e40d5e8f228eff8bb9544fa73e955a12f30018b8597
GuLoader
b3c83ca8ac0be1a91267ff0c5f12e3db8b08b4fa0c8c44df69a4a358c946bbee
GuLoader
f857890d674a9d4abd8ef6d735c7c03eef0a75777c64cb4a62917d12b68dcbfa
GuLoader
+ 603 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230801-ntek1agf41/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks QEMU agent file
Loads dropped DLL
Unpacked files
SH256 hash:
a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
MD5 hash:
75ed96254fbf894e42058062b4b4f0d1
SHA1 hash:
996503f1383b49021eb3427bc28d13b5bbd11977
Link:
https://www.unpac.me/results/f3eb1161-0c01-4be9-b685-65b2de2629a2/
SH256 hash:
5288a90e3ffc7fb7c13e74849005440fdf35467f2102cf4a49ae1b9bc18ec8d0
MD5 hash:
bcb25e849b08dd7ad7ec5c70c5b31181
SHA1 hash:
c9a9e785c86ccafa269bccb3eef0f4184f5b4f52
Link:
https://www.unpac.me/results/f3eb1161-0c01-4be9-b685-65b2de2629a2/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5288a90e3ffc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5288a90e3ffc7fb7c13e74849005440fdf35467f2102cf4a49ae1b9bc18ec8d0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/439591/

Comments