MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 012feffb86441278d04648ed0371d91e046004f01072a57b4a5a62024b22dad2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 12

Intelligence 12 IOCs YARA 1 File information Comments

SHA256 hash:	012feffb86441278d04648ed0371d91e046004f01072a57b4a5a62024b22dad2
SHA3-384 hash:	bffe9341e9bc99cbadfd695e6ea7cf19bc943ec7741d39ae331918b53875be2b9222a80be4ba50856714c4f9c5602026
SHA1 hash:	6098c7053eff8e8004b108599c42ed757c926732
MD5 hash:	1f941ccbf50d80370c99acff3593cb02
humanhash:	montana-massachusetts-connecticut-bakerloo
File name:	w2.xzqess.site.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	158'629 bytes
First seen:	2026-02-07 13:17:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3abe302b6d9a1256e6a915429af4ffd2 (283 x GuLoader, 38 x Formbook, 25 x Loki)
ssdeep	3072:6wDijpS4DbYcRsuHpxVWMRyCHuq+K9kmAHOV/ZvBWu0t11X:6FGuJLWMRyrqjVuO1Wu0H
TLSH	T15CF302026751C9F7C8194770453FDB38AFF69A6E91C519878341AF7ABD230838E2E2D6
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	aachum
Tags:	dropped-by-OffLoader exe GuLoader tbjj-site w2-xzqess-site

iamaachum

http://w2.xzqess.site/ping/

Downloads http://www.tbjj.site/iigionhx.exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

NSIS

Details

Link:

https://research.acce.ciphertechsolutions.com/results/049ce043-30fb-43c4-9c7e-4cfaadb1650d/

Malware family:

n/a

ID:

File name:

BIGFILMS 8211 INFERNO Pack Create Epic Blockbuster Scenes.exe

Verdict:

Malicious activity

Analysis date:

2026-02-07 13:03:30 UTC

Tags:

auto generic loader adware stealer offloader advancedinstaller arch-exec arch-doc python

Link:

https://app.any.run/tasks/fd49a637-a8a6-41e8-a7fc-8b1c3eb36635

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/52589/

Detection(s):

SecuriteInfo.com.Trojan.NSIS.Injector.UNOFFICIAL

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69873b573cadc639ed844492

Tags:

injection shell nsis blic

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug blackhole fingerprint installer installer installer-heuristic masquerade microsoft_visual_cc nsis packed soft-404

Link:

https://www.filescan.io/uploads/69873b97981ff1d38a4c46b4/reports/295d4ff2-8e76-4c66-935d-b46709c63e10/overview

Verdict:

Malicious

Labled as:

Adware.Dotdo.Z

Link:

https://www.hybrid-analysis.com/sample/012feffb86441278d04648ed0371d91e046004f01072a57b4a5a62024b22dad2

Result

Gathering data

Malware family:

NSIS

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/9e6429df-8171-4cce-8d65-f5bfa6cbdd03

Score:

63%

Verdict:

Susipicious

File Type:

Link:

https://malprob.io/report/012feffb86441278d04648ed0371d91e046004f01072a57b4a5a62024b22dad2

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/1f941ccbf50d80370c99acff3593cb02

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/012feffb86441278d04648ed0371d91e046004f01072a57b4a5a62024b22dad2/

Verdict:

Malicious

Threat:

Family.GULOADER

Link:

https://tip.neiki.dev/file/012feffb86441278d04648ed0371d91e046004f01072a57b4a5a62024b22dad2

Gathering data

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=aex6764giqjhrucgjdwqg4ozdycgabhqcbzkk62kljraeszc3lja._file

Result

Malware family:

n/a

Score:

8/10

Tags:

discovery execution installer

Link:

https://tria.ge/reports/260207-qje5wsfz7h/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Loads dropped DLL

Command and Scripting Interpreter: PowerShell

Unpacked files

SH256 hash:

012feffb86441278d04648ed0371d91e046004f01072a57b4a5a62024b22dad2

MD5 hash:

1f941ccbf50d80370c99acff3593cb02

SHA1 hash:

6098c7053eff8e8004b108599c42ed757c926732

Link:

https://www.unpac.me/results/c534d513-7260-4a9c-9768-58045f9816a3/

SH256 hash:

bf0cf3990c6c23dd91ec21071c31537f36355b6d6900358e1536b9a377427619

MD5 hash:

26fc881f84b7f9081cf6b58ab8f9ec08

SHA1 hash:

c4424b9a716392228d55f7d067592d77e9d1b5d2

Detections:

win_flawedammyy_auto

Link:

https://www.unpac.me/results/c534d513-7260-4a9c-9768-58045f9816a3/

Parent samples :

99aa0a112de10ceb2072e32e189befed18db5ce294787bf9b2dbe0ef643ba62c
b9fdbe8b2868d78c2fbe632a82d102bf5b334b256d21565e3173ba8ebe169ba5
b07907ce3ee14b8128039ecb8e635976fc216c77035d5bf38f42ed900197c879
87ad183c319765afb8556ac2ed508d2687c85b43b0848d251b87edbf0279fb97
27d75cacb0ec5845bd163635926ca0ecef4ea1bb92032df9e81e64b6e406e5a2
f95a2ee16ee39b92e9e3a5c87605021ff09d35ecf7eae9acaf6ea58c38ded834
e1c36731adad52dc563b7b172b6a4222f5449f134707e915714b7bb13392afd9
e9934abfdede625607cf46cbf7afe5dcab892e94117ab3bf827dafcf6be5eef1
dfae751806a1becfa849574b7b2a243f902550f1f72458bed5bc03779fea2f0b
d8d23e874918f7f77e8ac832e69adef1bda5244e403364a6ad5cb18e8ecbcb5e
dda95c5fac8c1882520a76aeb8dc397346e3f38bc6cb11aee7d96feea0d3a086
0ffb9d8b5cc25cd280763fe84065f5f149b17eb5d9e19dd59ba6c324d292572b
864600e2d2b01921667426263b8f6d5487aef7f9e4392190614b3538ee8a61b2
012feffb86441278d04648ed0371d91e046004f01072a57b4a5a62024b22dad2

SH256 hash:

72f33da081b8d579f437e7aa2ba8d9cb9602270b88093ff9411ac6316b52fc6e

MD5 hash:

d38543fc9ae37d188a23e06ee11d3504

SHA1 hash:

174fe778f66db4a527fddf21b1c23e1bc1ceceeb

Link:

https://www.unpac.me/results/c534d513-7260-4a9c-9768-58045f9816a3/

SH256 hash:

c2c88e4a32c734b0cb4ae507c1a9a1b417a2375079111fb1b35fab23aedd41d9

MD5 hash:

b38561661a7164e3bbb04edc3718fe89

SHA1 hash:

f13c873c8db121ba21244b1e9a457204360d543f

Detections:

win_flawedammyy_auto

Link:

https://www.unpac.me/results/c534d513-7260-4a9c-9768-58045f9816a3/

Parent samples :

99aa0a112de10ceb2072e32e189befed18db5ce294787bf9b2dbe0ef643ba62c
b9fdbe8b2868d78c2fbe632a82d102bf5b334b256d21565e3173ba8ebe169ba5
b07907ce3ee14b8128039ecb8e635976fc216c77035d5bf38f42ed900197c879
87ad183c319765afb8556ac2ed508d2687c85b43b0848d251b87edbf0279fb97
27d75cacb0ec5845bd163635926ca0ecef4ea1bb92032df9e81e64b6e406e5a2
f95a2ee16ee39b92e9e3a5c87605021ff09d35ecf7eae9acaf6ea58c38ded834
e1c36731adad52dc563b7b172b6a4222f5449f134707e915714b7bb13392afd9
e9934abfdede625607cf46cbf7afe5dcab892e94117ab3bf827dafcf6be5eef1
dda95c5fac8c1882520a76aeb8dc397346e3f38bc6cb11aee7d96feea0d3a086
0ffb9d8b5cc25cd280763fe84065f5f149b17eb5d9e19dd59ba6c324d292572b
907d76317c31e9ca799beeef08144d12f5005fcb4acf17848f9f467e098648d9
98598c90bd75b930aba968467f4b540a5784aa28612b8010d8a9cf31992843c6
864600e2d2b01921667426263b8f6d5487aef7f9e4392190614b3538ee8a61b2
012feffb86441278d04648ed0371d91e046004f01072a57b4a5a62024b22dad2

SH256 hash:

5520208a33e6409c129b4ea1270771f741d95afe5b048c2a1e6a2cc2ad829934

MD5 hash:

92ec4dd8c0ddd8c4305ae1684ab65fb0

SHA1 hash:

d850013d582a62e502942f0dd282cc0c29c4310e

Link:

https://www.unpac.me/results/c534d513-7260-4a9c-9768-58045f9816a3/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.