MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d893d8955618d559fd07a9f01585b157e2efa71ed0bd22c77d318fad6bbf021. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2d893d8955618d559fd07a9f01585b157e2efa71ed0bd22c77d318fad6bbf021
SHA3-384 hash: 5ed4ce4a4d81949f642d4972751c46f6abb4d36e39fa9952bcaa47e2764c4e00fdfcdba81777c0bcba7fa0a3d7d16402
SHA1 hash: 3336a515822b67e891782ebe907b78ef14dfc7cf
MD5 hash: 368c348876ea257c08cf6b32cdb2f567
humanhash: yankee-rugby-seventeen-wyoming
File name:Nakliye belgeleri.bat
Download: download sample
Signature GuLoader
Create hunting rule
File size:719'969 bytes
First seen:2024-08-27 08:58:28 UTC
Last seen:2025-07-28 07:54:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b78ecf47c0a3e24a6f4af114e2d1f5de (304 x GuLoader, 23 x Formbook, 21 x RemcosRAT)
ssdeep 12288:a7MJHZFQp4CdsJYgASCk0DpDLZwfw+A0T2obdYgVRgTuaFp0zS6w+CAG0snsQ6:aIJHop42gAM0teoVGbd9VRYH6VfAsQ6
TLSH T185E423A741F1D03BC85166F207F2BAB9FEB46C06816D818B1B717B461D3A903CD197AE
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter spatronn2
Tags:exe ftp-magazinsalajean-ro GuLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
412
Origin country :
TR TR
Vendor Threat Intelligence
Malware family:
guloader
Create hunting rule
ID:
1
File name:
Nakliye belgeleri.bat
Verdict:
Malicious activity
Analysis date:
2024-08-27 08:59:31 UTC
Tags:
guloader loader evasion snake keylogger telegram stealer ftp
Link:
https://app.any.run/tasks/737b6c87-da87-48d9-bc8f-4c9e1b67e152

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Mal.Generic-S.31020.16397.20236.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66cd9558e7ff3f5a063c143b
Tags:
Encryption Execution Generic Heur
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file
Launching a process
Using the Windows Management Instrumentation requests
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
installer lolbin masquerade microsoft_visual_cc overlay packed shell32
Link:
https://www.filescan.io/uploads/66cd955a1c7fd2cfb70570c6/reports/1c40b065-3668-450a-99a9-4e679e65501e/overview
Verdict:
Suspicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/2d893d8955618d559fd07a9f01585b157e2efa71ed0bd22c77d318fad6bbf021
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/4bb2d15d-579d-4f3d-921e-897bb8f856b5
Result
Threat name:
Snake Keylogger, VIP Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1499651
Signature
AI detected suspicious sample
Antivirus detection for URL or domain
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Opens the same file many times (likely Sandbox evasion)
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1499651 Sample: Nakliye belgeleri.bat.exe Startdate: 27/08/2024 Architecture: WINDOWS Score: 100 23 reallyfreegeoip.org 2->23 25 api.telegram.org 2->25 27 3 other IPs or domains 2->27 41 Antivirus detection for URL or domain 2->41 43 Yara detected VIP Keylogger 2->43 45 Yara detected Telegram RAT 2->45 51 4 other signatures 2->51 8 Nakliye belgeleri.bat.exe 31 2->8         started        signatures3 47 Tries to detect the country of the analysis system (by using the IP) 23->47 49 Uses the Telegram API (likely for C&C communication) 25->49 process4 file5 21 C:\Users\user\AppData\Local\...behaviorgraphreenwort.Seg, ASCII 8->21 dropped 53 Suspicious powershell command line found 8->53 55 Opens the same file many times (likely Sandbox evasion) 8->55 12 powershell.exe 18 8->12         started        signatures6 process7 signatures8 57 Writes to foreign memory regions 12->57 59 Found suspicious powershell code related to unpacking or dynamic code loading 12->59 61 Hides threads from debuggers 12->61 15 wab.exe 15 8 12->15         started        19 conhost.exe 12->19         started        process9 dnsIp10 29 api.telegram.org 149.154.167.220, 443, 49732 TELEGRAMRU United Kingdom 15->29 31 reallyfreegeoip.org 188.114.97.3, 443, 49716, 49717 CLOUDFLARENETUS European Union 15->31 33 3 other IPs or domains 15->33 35 Tries to steal Mail credentials (via file / registry access) 15->35 37 Tries to harvest and steal browser information (history, passwords, etc) 15->37 39 Hides threads from debuggers 15->39 signatures11
Score:
79%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2d893d8955618d559fd07a9f01585b157e2efa71ed0bd22c77d318fad6bbf021
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2d893d8955618d559fd07a9f01585b157e2efa71ed0bd22c77d318fad6bbf021/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2024-08-27 08:59:05 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fwet3ckvmggvlh6qpkpqcwc3cv7c56tr5uf5eldx2mmpvvv36aqq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger discovery execution keylogger stealer
Link:
https://tria.ge/reports/240827-kxqkwsvblr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Looks up external IP address via web service
Command and Scripting Interpreter: PowerShell
VIPKeylogger
Unpacked files
SH256 hash:
2d893d8955618d559fd07a9f01585b157e2efa71ed0bd22c77d318fad6bbf021
MD5 hash:
368c348876ea257c08cf6b32cdb2f567
SHA1 hash:
3336a515822b67e891782ebe907b78ef14dfc7cf
Link:
https://www.unpac.me/results/2f649be9-8270-4916-b865-ffe2eed88b54/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2d893d895561/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2d893d8955618d559fd07a9f01585b157e2efa71ed0bd22c77d318fad6bbf021

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_SliverFox_String
Create hunting rule
Author:huoji
Description:Detect files is `SliverFox` malware
Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:NSIS_GuLoader
Create hunting rule
Author:NDA0E
Description:Detects GuLoader using NSIS
Rule name:NSIS_GuLoader_July_2024
Create hunting rule
Author:NDA0E
Description:Detects GuLoader packed with NSIS installer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::SetFileSecurityA
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteA
SHELL32.dll::SHFileOperationA
SHELL32.dll::SHGetFileInfoA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDiskFreeSpaceA
KERNEL32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileA
KERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::MoveFileExA
KERNEL32.dll::MoveFileA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExA
USER32.dll::OpenClipboard
USER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments