MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db423f90dcdd288aaf1fb8bc898dab496765d8b56abe145b9bbeff9e26a4e695. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: db423f90dcdd288aaf1fb8bc898dab496765d8b56abe145b9bbeff9e26a4e695
SHA3-384 hash: 0f6c11c424e05c1d40c24db5b9582e61326c5d7a793b2062dc574a0636c7a236b007bedfad5974bfd07923ad3bc87419
SHA1 hash: 7a6fec390ca53e873cf5eea31531e7e58da9d378
MD5 hash: 1cfbf2ea376d44938ee48af7cdfd4cc8
humanhash: muppet-gee-white-quebec
File name:Nonsympathetic.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:145'872 bytes
First seen:2023-04-03 14:32:10 UTC
Last seen:2023-04-03 15:39:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7ed0d71376e55d58ab36dc7d3ffda898 (133 x GuLoader, 28 x RemcosRAT, 23 x AgentTesla)
ssdeep 3072:GqTUdySBaLvYzIf/M7o93auj/L1v59TZ9CoeggzozywON3zYPYADQDDWrX:Gkyacbo/BD7ClBz5wezYPKDWrX
Threatray 526 similar samples on MalwareBazaar
TLSH T157E30200A5E5C417E5D78B721E76AFA1E3F6B9640428160F2F311FBA25307C6C70ABA7
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter malwarelabnet
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2023-02-23T03:17:18Z
Valid to:2026-02-22T03:17:18Z
Serial number: 1a40a7de5f33bd86d92fa83d97c08d3d7089f8ca
Thumbprint Algorithm:SHA256
Thumbprint: 0c6f5d77c85b773cba2c92bebf6e0fb78561d3d35eaa871eae62140f1d229211
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
guloader
Create hunting rule
ID:
1
File name:
Nonsympathetic.exe
Verdict:
Malicious activity
Analysis date:
2023-04-03 14:37:10 UTC
Tags:
guloader
Link:
https://app.any.run/tasks/b0d273c6-5acb-4201-a104-e0c3dd07a7a0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/379731/
Detection(s):
SecuriteInfo.com.FileRepMalware.23131.27505.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% subdirectories
Delayed reading of the file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
guloader overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/642ae3a1155a6f1443f9f83c/reports/fa033020-f4d2-4d57-b699-3e1f3e81da84/overview
Verdict:
Malicious
Labled as:
TR/AD.NsisInject
Link:
https://www.hybrid-analysis.com/sample/db423f90dcdd288aaf1fb8bc898dab496765d8b56abe145b9bbeff9e26a4e695
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/1e21b5ac-4962-45f1-b67b-1f3975534a5a
Result
Threat name:
FormBook, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.rans.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1207132
Signature
Found potential ransomware demand text
Hides threads from debuggers
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 840045 Sample: Nonsympathetic.exe Startdate: 03/04/2023 Architecture: WINDOWS Score: 100 32 www.yd352.com 2->32 34 www.traumlichtfotografie.com 2->34 36 27 other IPs or domains 2->36 56 Snort IDS alert for network traffic 2->56 58 Multi AV Scanner detection for domain / URL 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 5 other signatures 2->62 11 Nonsympathetic.exe 1 27 2->11         started        signatures3 process4 file5 30 C:\Users\user\AppData\Local\...\System.dll, PE32 11->30 dropped 74 Tries to detect Any.run 11->74 76 Hides threads from debuggers 11->76 15 Nonsympathetic.exe 6 11->15         started        signatures6 process7 dnsIp8 44 drive.google.com 142.250.184.238, 443, 49789 GOOGLEUS United States 15->44 46 googlehosted.l.googleusercontent.com 142.250.186.129, 443, 49790 GOOGLEUS United States 15->46 48 Modifies the context of a thread in another process (thread injection) 15->48 50 Tries to detect Any.run 15->50 52 Maps a DLL or memory area into another process 15->52 54 3 other signatures 15->54 19 explorer.exe 3 1 15->19 injected signatures9 process10 dnsIp11 38 www.atelierminyon.com 156.226.207.109, 49931, 49932, 49933 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 19->38 40 www.elladeehiggins.com 216.40.34.41, 49839, 49840, 49841 TUCOWSCA Canada 19->40 42 17 other IPs or domains 19->42 64 System process connects to network (likely due to code injection or exploit) 19->64 23 cmstp.exe 13 19->23         started        signatures12 process13 signatures14 66 Tries to steal Mail credentials (via file / registry access) 23->66 68 Tries to harvest and steal browser information (history, passwords, etc) 23->68 70 Writes to foreign memory regions 23->70 72 3 other signatures 23->72 26 firefox.exe 23->26         started        process15 process16 28 WerFault.exe 4 26->28         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/db423f90dcdd288aaf1fb8bc898dab496765d8b56abe145b9bbeff9e26a4e695/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2023-04-03 07:35:32 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
15 of 23 (65.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3nbd7eg43uuivly7xc6itdnljftwlwfvnk7biw43x37z4jve42kq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
01ff3a6ce715226b103f3bf80bdb44737fc8bccd38119a7372d8cdcfd3b034c7
GuLoader
0dd1d1a74f49a15f9b7dcfc7890060807198b74b835cb17f60886a0f2c9c1376
GuLoader
28ca1fe12d85075d947b1bc3292c14cba784ed1e22287e56819d9a1d86b2f7e4
GuLoader
3e924b372c019c41e9995a276ce5c1b1487d14ceb9fbc8d606a09a83df5989b8
GuLoader
4db943d3621a557370a3585cd61db3f9835c65f350a2284c9d5f3024adb0ff07
GuLoader
bf71631457bec8633d10c816bfa914ef51bee4acda9a37c2613697976a21decb
GuLoader
c3a3c6015ffc1bc98b5a21f89e78049900e5796e67e098bead011a20a99e7b0d
GuLoader
d99fdee30a323b0ed4cfbd9c4661530f45b368f829869604fb9a83debfff7a32
GuLoader
f4716cf29a2fa3ff5650ff6a4d35a26a5a534658fe7518fdf2c08554158db841
GuLoader
ff3949d2a8e0d6b08d2b8b643cdfc6a26f44352da217b4a537e9c16d96ed7198
GuLoader
+ 516 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/230403-rwvlsaha3t/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Checks computer location settings
Loads dropped DLL
Guloader,Cloudeye
Unpacked files
SH256 hash:
7fe77ca13121a113c59630a3dba0c8aaa6372e8082393274da8f8608c4ce4528
MD5 hash:
fc90dfb694d0e17b013d6f818bce41b0
SHA1 hash:
3243969886d640af3bfa442728b9f0dff9d5f5b0
Link:
https://www.unpac.me/results/3df4d545-ce2b-4297-8150-207fb2951da7/
SH256 hash:
db423f90dcdd288aaf1fb8bc898dab496765d8b56abe145b9bbeff9e26a4e695
MD5 hash:
1cfbf2ea376d44938ee48af7cdfd4cc8
SHA1 hash:
7a6fec390ca53e873cf5eea31531e7e58da9d378
Link:
https://www.unpac.me/results/3df4d545-ce2b-4297-8150-207fb2951da7/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/db423f90dcdd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
GuLoader
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/db423f90dcdd288aaf1fb8bc898dab496765d8b56abe145b9bbeff9e26a4e695

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Suspicious_Macro_Presence
Create hunting rule
Author:Mehmet Ali Kerimoglu (CYB3RMX)
Description:This rule detects common malicious/suspicious implementations.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/379731/

Comments