MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2efb64ca1908f95dd095871d6221d5ad1a3dc87a9cb6367d36193d7a3fd112b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2efb64ca1908f95dd095871d6221d5ad1a3dc87a9cb6367d36193d7a3fd112b9
SHA3-384 hash: 6eda64842c912139e4d24a7c0daae2742734c35ca863565da70c94fd96c40e701109f278005cf27c6fa9fed7296fd514
SHA1 hash: 8e5a4b058f17673c6cfe8d0f5fd9d3f16145ee59
MD5 hash: bcefbdf3a843936a3a1906ca24c8a144
humanhash: solar-two-white-crazy
File name:2efb64ca1908f95dd095871d6221d5ad1a3dc87a9cb6367d36193d7a3fd112b9
Download: download sample
Signature GuLoader
Create hunting rule
File size:837'184 bytes
First seen:2025-08-12 14:27:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ea4e67a31ace1a72683a99b80cf37830 (70 x Formbook, 64 x GuLoader, 54 x Loki)
ssdeep 24576:0QOM5Y/4PwDKuEnsq2VfQ+YVNn8YA0gbKjqD:TO/4Pwcn2VI+OnHAwA
Threatray 4'306 similar samples on MalwareBazaar
TLSH T1A805239107319A73CAD60D70082668F9F6E7DC429176C7879F823FAB3D325749A27227
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon d022d8c8f28f80c0 (28 x GuLoader, 6 x Adware.Generic, 5 x VIPKeylogger)
Reporter adrian__luca
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:Emprosthotonos
Issuer:Emprosthotonos
Algorithm:sha256WithRSAEncryption
Valid from:2025-02-11T02:21:34Z
Valid to:2026-05-17T02:21:34Z
Serial number: 1a6ea9adf9b4576a3985ff370af65ec0fdc57022
Thumbprint Algorithm:SHA256
Thumbprint: ee084d14a0c79f294b5e225d34ae03bd6dd15978c8755c9af85c893b74817c92
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
45
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2efb64ca1908f95dd095871d6221d5ad1a3dc87a9cb6367d36193d7a3fd112b9
Verdict:
Malicious activity
Analysis date:
2025-08-08 17:53:58 UTC
Tags:
evasion snake keylogger telegram stealer
Link:
https://app.any.run/tasks/7291422f-445c-4213-bc0a-ef4b0b78630b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/20671/
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689b520cc633abe3908e5072
Tags:
injection virus blic
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Searching for the window
Creating a file
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/2efb64ca1908f95dd095871d6221d5ad1a3dc87a9cb6367d36193d7a3fd112b9
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/92d0aed1-434a-4caf-a140-c7f36494db3c
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2efb64ca1908f95dd095871d6221d5ad1a3dc87a9cb6367d36193d7a3fd112b9
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2efb64ca1908f95dd095871d6221d5ad1a3dc87a9cb6367d36193d7a3fd112b9/
Threat name:
Win32.Trojan.GULoader
Create hunting rule
Status:
Malicious
First seen:
2025-07-23 23:22:58 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f35wjsqzbd4v3uevq4oweiovvund3sd2ts3dm7jwde6xup6rck4q._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
0c67ccd6b722d25bbe932693afe8d0895555d12442699122c8810d2d6610e2a8
GuLoader
0cb6636748ff6a60ebf1a4644a7b4c877f8a19edd8c7a2eac10b34d1bd7cbfbf
GuLoader
29032ae14e315863a55a0851c3e1c9cb246beb4513a279d8b1bf7fac97be6ff7
GuLoader
2bab4b4ef0cd5ce5f2dff0ddcbdfb7295c0d141fb4c88ec305268b24a3e23a5c
GuLoader
43753d7fe1487c758cfebd575c0818b13ef5c3c278a0fa9539e04fe1a86553eb
GuLoader
55118f31295208ddb2a3e7f18a340056c791d338d8375080cdf618c2bc01bd08
GuLoader
79866667d5cd578a1c6eda54a748ff9d316fff39064eecd282bc2a9ad8a5ac7d
GuLoader
da9c5f609ebbcf19aef3d6992d451ccbe4fa77858660f6861146d1a486e1d98e
GuLoader
ebb0272ecef9d8bf07a71b9ead8718760d27c4fdc334fe2de7a8b93237e61044
GuLoader
error
GuLoader
+ 4'296 additional samples on MalwareBazaar
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger collection discovery installer keylogger spyware stealer
Link:
https://tria.ge/reports/250812-tf47dssxdv/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses Microsoft Outlook profiles
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
VIPKeylogger
Vipkeylogger family
Malware Config
C2 Extraction:
https://api.telegram.org/bot8012867311:AAFWksrZyGA7ilrdJz70qpVjXRyr7X1_uBo/sendMessage?chat_id=7701710747
Verdict:
Malicious
Tags:
loader guloader
YARA:
NSIS_GuLoader_July_2024
Link:
https://app.threat.zone/submission/05c84c59-ab39-469f-8970-cc9d37e19b3f
Unpacked files
SH256 hash:
2efb64ca1908f95dd095871d6221d5ad1a3dc87a9cb6367d36193d7a3fd112b9
MD5 hash:
bcefbdf3a843936a3a1906ca24c8a144
SHA1 hash:
8e5a4b058f17673c6cfe8d0f5fd9d3f16145ee59
Link:
https://www.unpac.me/results/3a0ed449-d505-43ad-bd9a-5d9fb784dab6/
SH256 hash:
269d232712c86983336badb40b9e55e80052d8389ed095ebf9214964d43b6bb1
MD5 hash:
34442e1e0c2870341df55e1b7b3cccdc
SHA1 hash:
99b2fa21aead4b6ccd8ff2f6d3d3453a51d9c70c
Link:
https://www.unpac.me/results/3a0ed449-d505-43ad-bd9a-5d9fb784dab6/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/20671/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::SetFileSecurityA
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExA
SHELL32.dll::SHFileOperationA
SHELL32.dll::SHGetFileInfoA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDiskFreeSpaceA
KERNEL32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileA
KERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::MoveFileExA
KERNEL32.dll::MoveFileA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExA
USER32.dll::OpenClipboard
USER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments