MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2fe59a0eaf50f0836f9ce92ef8a08f553c836421823c5b3067caf54dbc2f4e40. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2fe59a0eaf50f0836f9ce92ef8a08f553c836421823c5b3067caf54dbc2f4e40
SHA3-384 hash: aff269e3d764210d105dc8b968b3a5099482fbe865173bbb9ade050c54a83b4b5365f99c3d6e2999a89beccf27010a45
SHA1 hash: 1b09f4837c3c401aca9c1d5bc22f5a1b393c1f4a
MD5 hash: b7fddc0f52aa19361bb43414efe86378
humanhash: spring-queen-dakota-mexico
File name:June 03062026.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:292'592 bytes
First seen:2026-06-03 15:21:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b78ecf47c0a3e24a6f4af114e2d1f5de (306 x GuLoader, 23 x Formbook, 21 x RemcosRAT)
ssdeep 6144:cpZgUXltNBTzek8VuyT9oajCYQXwa8ya1f20lCnTZ8Ikv:EFeduQoaj8c8uCT0
TLSH T1D654D082758490EBDA256470C8ABDD334B277FBA47D15B0F23B6762E64731630A2F50B
TrID 50.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
10.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.5% (.EXE) Win64 Executable (generic) (6522/11/2)
8.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 08c0248ce4a08982 (1 x RedLineStealer, 1 x GuLoader)
Reporter lowmal3
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:Illustrous
Issuer:Illustrous
Algorithm:sha256WithRSAEncryption
Valid from:2026-04-20T06:27:24Z
Valid to:2027-04-20T06:27:24Z
Serial number: 76498861d876f5e6cd80eb70ab1ddd7f32743b0f
Thumbprint Algorithm:SHA256
Thumbprint: 1c4700cfc25d1e3ad49b2316b792b35c40c91f97c354acb941d02c7073349171
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
154
Origin country :
DE DE
Vendor Threat Intelligence
Malware configuration found for:
NSIS
Details
Link:
https://research.acce.ciphertechsolutions.com/results/f3d5fcd8-82da-46f8-82f2-b1f153fc1470/
Malware family:
n/a
ID:
1
File name:
exe
Verdict:
Malicious activity
Analysis date:
2026-06-03 15:22:38 UTC
Tags:
auto-reg phantom stealer telegram ip-check generic
Link:
https://app.any.run/tasks/a1ea82a7-1b4b-4817-877b-16d8a80109a8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68894/
Detection(s):
SecuriteInfo.com.BackDoor.Siggen2.2488.26461.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a20468257b7bf261d609c78
Tags:
injection virus sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %AppData% subdirectories
Delayed reading of the file
Creating a file in the %temp% subdirectories
Searching for the Windows task manager window
Running batch commands
Creating a process with a hidden window
Launching a service
Launching many processes
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug evasive installer installer installer-heuristic microsoft_visual_cc nsis reconnaissance signed
Link:
https://www.filescan.io/uploads/6a20467a46e44aecc0cd15b9/reports/ce4a29a9-cd96-46c1-bc2a-2faae722f4b6/overview
Verdict:
Suspicious
Labled as:
Injector.NZMD
Link:
https://www.hybrid-analysis.com/sample/2fe59a0eaf50f0836f9ce92ef8a08f553c836421823c5b3067caf54dbc2f4e40
Malware family:
NSIS
Create hunting rule
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/f33b9f7d-c082-4e9e-b3cf-060935bab9c8
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1922381
Signature
.NET source code contains potential unpacker
AI detected suspicious PE digital signature
Allocates memory in foreign processes
Browser instances using unsafe startup parameters
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Maps a DLL or memory area into another process
Mass process execution to delay analysis
Monitors registry run keys for changes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Uses the Telegram API (likely for C&C communication)
Uses the Windows Restart Manager Abuse for Browser Credential File unlocking
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1922381 Sample: June 03062026.exe Startdate: 03/06/2026 Architecture: WINDOWS Score: 100 90 api.telegram.org 2->90 92 firefox.settings.services.mozilla.com 2->92 94 15 other IPs or domains 2->94 114 Suricata IDS alerts for network traffic 2->114 116 Multi AV Scanner detection for dropped file 2->116 118 Multi AV Scanner detection for submitted file 2->118 122 11 other signatures 2->122 9 June 03062026.exe 1 31 2->9         started        13 msedge.exe 2->13         started        16 firefox.exe 2->16         started        18 2 other processes 2->18 signatures3 120 Uses the Telegram API (likely for C&C communication) 90->120 process4 dnsIp5 72 C:\Users\user\AppData\Roaming\...\priests.bur, COM 9->72 dropped 74 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 9->74 dropped 76 C:\Users\user\AppData\Local\...\System.dll, PE32 9->76 dropped 136 Obfuscated command line found 9->136 20 June 03062026.exe 26 153 9->20         started        25 cmd.exe 9->25         started        27 cmd.exe 9->27         started        37 63 other processes 9->37 110 192.168.2.4, 138, 443, 49437 unknown unknown 13->110 112 239.255.255.250 unknown ZZ 13->112 78 C:\Users\user\...\the-real-index (copy), COM 13->78 dropped 80 C:\Users\user\AppData\Local\...\temp-index, COM 13->80 dropped 138 Maps a DLL or memory area into another process 13->138 29 msedge.exe 13->29         started        39 6 other processes 13->39 31 firefox.exe 16->31         started        82 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 18->82 dropped 84 C:\Users\user\AppData\Local\...\System.dll, PE32 18->84 dropped 86 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 18->86 dropped 88 C:\Users\user\AppData\Local\...\System.dll, PE32 18->88 dropped 33 June 03062026.exe 18->33         started        35 June 03062026.exe 18->35         started        file6 signatures7 process8 dnsIp9 96 api.telegram.org 149.154.166.110, 443, 49805, 49807 TELEGRAMVG United Kingdom 20->96 104 2 other IPs or domains 20->104 62 C:\Users\user\AppData\...\June 03062026.exe, PE32 20->62 dropped 64 C:\...\June 03062026.exe:Zone.Identifier, ASCII 20->64 dropped 124 Tries to steal Mail credentials (via file / registry access) 20->124 126 Tries to harvest and steal browser information (history, passwords, etc) 20->126 128 Writes to foreign memory regions 20->128 130 5 other signatures 20->130 41 msedge.exe 20->41         started        54 5 other processes 20->54 44 Conhost.exe 25->44         started        46 Conhost.exe 27->46         started        98 ntp.msn.com 29->98 100 clients2.googleusercontent.com 29->100 106 39 other IPs or domains 29->106 102 151.101.193.91, 443, 49793, 49802 FASTLY-FastlyIncUS Canada 31->102 108 6 other IPs or domains 31->108 66 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 31->66 dropped 68 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 31->68 dropped 56 2 other processes 31->56 70 C:\Users\user\...\June 03062026.exe.log, ASCII 33->70 dropped 48 June 03062026.exe 33->48         started        50 Conhost.exe 37->50         started        58 61 other processes 37->58 52 setup.exe 39->52         started        file10 signatures11 process12 signatures13 132 Monitors registry run keys for changes 41->132 134 Installs a global keyboard hook 41->134 60 msedge.exe 41->60         started        process14
Score:
86%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2fe59a0eaf50f0836f9ce92ef8a08f553c836421823c5b3067caf54dbc2f4e40
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2fe59a0eaf50f0836f9ce92ef8a08f553c836421823c5b3067caf54dbc2f4e40/
Verdict:
Malicious
Threat:
Family.PHANTOM
Link:
https://tip.neiki.dev/file/2fe59a0eaf50f0836f9ce92ef8a08f553c836421823c5b3067caf54dbc2f4e40
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-06-03 15:22:49 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
11 of 36 (30.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f7szudvpkdyig3445expriepku6igzbbqi6fwmdhzl2u3pbpjzaa._file
Verdict:
malicious
Label(s):
packer_bxor
Create hunting rule
Similar samples:
error
GuLoader
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery installer
Link:
https://tria.ge/reports/260603-srlczsaw9z/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Loads dropped DLL
Unpacked files
SH256 hash:
2fe59a0eaf50f0836f9ce92ef8a08f553c836421823c5b3067caf54dbc2f4e40
MD5 hash:
b7fddc0f52aa19361bb43414efe86378
SHA1 hash:
1b09f4837c3c401aca9c1d5bc22f5a1b393c1f4a
Link:
https://www.unpac.me/results/f112aa43-915c-43df-b729-6a79064c9aa0/
SH256 hash:
aadb42162f6d129f7dd6dad6eb0732cd13691723e8fadaa527bb471852a8225e
MD5 hash:
a48896a867e78601bb8b5e4de953ddbb
SHA1 hash:
3a8b158f44d73a2b2f7773e4c28bb81abadc1e2a
Detections:
win_flawedammyy_auto
Create hunting rule
Link:
https://www.unpac.me/results/f112aa43-915c-43df-b729-6a79064c9aa0/
Parent samples :
b8ac779bad0064cb5e6371e1b1e745bbf9a7751f95d77729c2f461c5a2fc185e
715e1eb5414e749e16fb3999dda7bcf8405e6fb4e14e66ddcbdf20a2e1af89c3
f48f29b77d06f3c8617af598413f5b697a3c0569d6ac959e80fec1a4ea499cea
42d8660460520cc995d9e871953c424a6a95cba8796fa763fb9ebe46cbc7189d
31e7af388e46bad588bf2379082be9883c32d4b4800d162ffba41d703ac1324d
625c963b2ec2c5ba33d9594a83f8ed4fa8ff82a908eb7e1838474b444700227f
715db42221c14aa82c84b459a511f7348f7b07135ffa9d97224c75e11607e1f6
fbca0b953516798fdf230b0369f5d19b7111f483aa3895177875750428628969
0086c66858a198ea8faf61cb24aced32f4948857ba33ca355a6d59b8c5eda1a0
64d216f6d652835b46d87fd8fe6498c60331050c727c7f1d0ceef6aa14e19410
0edacb001024ad548cefbdb4125260b3514cbcb3af12c1706710ed0086643800
f47b3b55aeedf0cb93b1fed30fd944675e81892a235771019208ae95a3753bb9
292448122c421fa603e529ff0a9c3ecfbe46f90bc8287b3d5f23cd0edc6e37a2
31e7acfaa26644d4e5cc0222b451fdd8ddada99cf2f5916db523535c84253337
b00ca61d826c55818d7a94496dd3b9f50c8a4337b9aaed7e390f4ea0fc3571fc
bb6b9431e289c8cca7a359c5e685a81cba52cf86506cfb28bf7fe6c6df8cbc22
0342c1457d9394f575a311a7b5e2557860289a71c90ed0f5736e8410f5849d59
1f92687fb627588ff2e0b4347c0fc634c4b8b84cc45ca138d0b4c59c3ca2df96
e1c5a87cc499041cbf2023a33d0247d4f06ab043df4aa7c68e3e8ffbdbc18942
f70bfbedcea0620a8788cf7f24134f3da0f531eabd1167bb2a5c8d3bb240fdad
9eddf41c4a04d6f1a7510480bab531956b0d5efc55e43f2af52255bb8c2d09c9
0c09174880f7ca0d0d521dfe118d5077c78270973a1437490f91b60c39095927
91c2e0730c8d4f84cd8095c2b21ab42046d6248ca1b068afc02cf41769b5dfda
652882e3911376b2de4213cc09b70ffd0be4c65cb287103e0e2f3e870df05e6c
0fc5e945316b1be00f0fdf8db159fb3613b2d607e4f7ed709658fe48fd7c83d7
c4551e042ed762ccdfb8b20b3f0f9bcc7291a13644a3b0e0335b7e4bedf8e67d
e2fe236e6e2b1abaccc15b23a60e5b3d0cdc171d1ef4de601e469ddcf3919596
8ed63aac9e5077fe47d2593c87081b744ee3d24ca42debe78cf1e457c3782bc1
fcfaa484a545ec70c0ba2d1c9fe254c558542b9e24265135eef209e0ecab974d
48e93693d74276876c042200c63085698360132663e726f775c13d9eeeba57d2
5d0c88af4fe9438facc977b77ca0e791eee35f88049a6be27030377e315eb7ca
f1d545ed6ad2433790b985ad84d102f937b16f44c09f32d9be33f95ef80b7d4d
06bbd56f97c98fe910af5904b60443fcbf1d88488f374f35d4a0423f045c7b4f
78da61841f3d842ae810eea3f098fefbc613cbc76caf95c7dd9851c4215dff91
39e56a2169bb25abac476b5625fda3a78acc1ce3d5f1cba2c92677ab5ec639ea
fb4acd018acf7a2682ea82e941f8167c2008bbdb7fec77ef8fc91d786835c309
f72c3f7de179428b510f8cd6149243e9e9c1783f1de7be02b1cd71b4cf7fb9ec
162b7b0fd94ffc2207532577ce05c80eb3ce52ad5009941ccd0a9a8736980f4e
ae9f6648c124d034c969585a244ed7819bd787d640bd1561e7a6fabf6988476a
dd6c1c1b528f95923c4b501a1b603a28e00338dfa239cadbc8af87e441f047f8
61cd040366ea4116433848a0fab8e737da6e7e1f32f14176724bf8a5af49e3ca
05c29b1d96008476d28b42a13a4e34e81b628ef4d2bfb203d0075a247bb9431c
aa3e3d48245a2cf65e94a1388666b0741eacfff07847643e116428c10a94b5da
0a03baf24f95b30e16af210ce5f1289680c298b9797ec6abb8f5566c267c2a19
434e8427b603739452b1c7a3eb2f8a4b5014fcbe088bed9d3192c6a7693f7a7e
c3da2f9cdcec67c8bd8024c7f26f03fae9284125f11e795ffbfa8acba16803dc
26b15f744a235ceb9dfb6a6a91d5cb6218b0473bc8ec7028ccf6f2beaac43d48
53ad1aa3ff4f3dcb953f2e7560738f21c8cdadd91a61338e92b50a04943e01d6
a31748dd0aa6f53cbfa189bef070a2304e385ef18c0bab5672e039c4a12c41f7
34c4a0ba138c27572a6c7ef1af7dbdbcface5dcbe246f857e41516b8269b7fca
ec718f7c0b27972083cd3990267d68a2cebd76b6fcaa224c44f3b165d95125f3
bf10aaecc4a9bc8ac2c74f986ba4b3e5bfbb6af841cdae072a3df6234e735e1b
e215d95accde9eb5487f8a6fffb8591b78011cfa38b8a1bb3baa33126eeb4927
bcd4a12bc68a7507953e0adb700395338319b2888482eb6a65355170e029082c
f96b03987d5a39f6d1172f022a2e3bf15a31c18f5b38a5ce77c682c36dd791c9
b75c590c39f53c262df3e923a5766d3885f76841ad8216b99aadad9fac7e4a77
459fa2aa684e309efc142f42c8c0bd6fea3568264d5ba8dc5d773dad44448ca0
cee2f056a2ba2fa8ae563fd35b7e3fdb601c75f16a9dcae0b713cf9dcb705c49
dfb78e200895d26f83fe2213443acc79282987f6f56ef130741b460f07722bda
afed591813af06421614476445cbeb3562cbbf81dfb9abe73f31ffdd4e9a1424
ec8ec8b3234ceeefbf74b2dc4914d5d6f7685655f6f33f2226e2a1d80e7ad488
e04d1a737892c391a5097991fa53cf96910966bccc7844f5438f76cc686f3776
487d7ec49d8c5d8d53914ea9cced3aa35b77006271e5c3006c9cfa4ade6eb755
67fcfb7ee0a0c7105f6247a3ebe4d2a929778963fdbcd7ca5835986fd45b4077
381a973ed8a246d736f14be643616c79e19ea3b32b706ce48148d29492eabb8e
55a5544e47bde8e55701d7debcc178d4c65f7794c2fcc3bd2a7a4cce8f19f5ca
2fe59a0eaf50f0836f9ce92ef8a08f553c836421823c5b3067caf54dbc2f4e40
SH256 hash:
c3338338ca68c09cb0e7e6097ddc7fed38fb99fd87fd5c9261a3bd9e4194d317
MD5 hash:
fd6dedaee84b77f19187a6c261760f06
SHA1 hash:
a7f61b2530d364740cec96e259b7dbd4124d382b
Link:
https://www.unpac.me/results/f112aa43-915c-43df-b729-6a79064c9aa0/
SH256 hash:
f2c1409faf2952c1c91f4b5495158ef5c7d1a1db6eea4a18f163574bd52fcad0
MD5 hash:
b3070cf20db659fdfb3cb2ed38130e8d
SHA1 hash:
aa234b0620bebddde1414ff6b0840d883890b413
Link:
https://www.unpac.me/results/f112aa43-915c-43df-b729-6a79064c9aa0/
SH256 hash:
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884
MD5 hash:
b5a1f9dc73e2944a388a61411bdd8c70
SHA1 hash:
dc9b20df3f3810c2e81a0c54dea385704ba8bef7
Detections:
win_flawedammyy_auto
Create hunting rule
Link:
https://www.unpac.me/results/f112aa43-915c-43df-b729-6a79064c9aa0/
Parent samples :
0edacb001024ad548cefbdb4125260b3514cbcb3af12c1706710ed0086643800
f47b3b55aeedf0cb93b1fed30fd944675e81892a235771019208ae95a3753bb9
292448122c421fa603e529ff0a9c3ecfbe46f90bc8287b3d5f23cd0edc6e37a2
31e7acfaa26644d4e5cc0222b451fdd8ddada99cf2f5916db523535c84253337
b00ca61d826c55818d7a94496dd3b9f50c8a4337b9aaed7e390f4ea0fc3571fc
bb6b9431e289c8cca7a359c5e685a81cba52cf86506cfb28bf7fe6c6df8cbc22
0342c1457d9394f575a311a7b5e2557860289a71c90ed0f5736e8410f5849d59
1f92687fb627588ff2e0b4347c0fc634c4b8b84cc45ca138d0b4c59c3ca2df96
e1c5a87cc499041cbf2023a33d0247d4f06ab043df4aa7c68e3e8ffbdbc18942
f70bfbedcea0620a8788cf7f24134f3da0f531eabd1167bb2a5c8d3bb240fdad
9eddf41c4a04d6f1a7510480bab531956b0d5efc55e43f2af52255bb8c2d09c9
0c09174880f7ca0d0d521dfe118d5077c78270973a1437490f91b60c39095927
91c2e0730c8d4f84cd8095c2b21ab42046d6248ca1b068afc02cf41769b5dfda
652882e3911376b2de4213cc09b70ffd0be4c65cb287103e0e2f3e870df05e6c
0fc5e945316b1be00f0fdf8db159fb3613b2d607e4f7ed709658fe48fd7c83d7
c4551e042ed762ccdfb8b20b3f0f9bcc7291a13644a3b0e0335b7e4bedf8e67d
e2fe236e6e2b1abaccc15b23a60e5b3d0cdc171d1ef4de601e469ddcf3919596
8ed63aac9e5077fe47d2593c87081b744ee3d24ca42debe78cf1e457c3782bc1
fcfaa484a545ec70c0ba2d1c9fe254c558542b9e24265135eef209e0ecab974d
48e93693d74276876c042200c63085698360132663e726f775c13d9eeeba57d2
5d0c88af4fe9438facc977b77ca0e791eee35f88049a6be27030377e315eb7ca
f1d545ed6ad2433790b985ad84d102f937b16f44c09f32d9be33f95ef80b7d4d
06bbd56f97c98fe910af5904b60443fcbf1d88488f374f35d4a0423f045c7b4f
78da61841f3d842ae810eea3f098fefbc613cbc76caf95c7dd9851c4215dff91
39e56a2169bb25abac476b5625fda3a78acc1ce3d5f1cba2c92677ab5ec639ea
fb4acd018acf7a2682ea82e941f8167c2008bbdb7fec77ef8fc91d786835c309
f72c3f7de179428b510f8cd6149243e9e9c1783f1de7be02b1cd71b4cf7fb9ec
162b7b0fd94ffc2207532577ce05c80eb3ce52ad5009941ccd0a9a8736980f4e
ae9f6648c124d034c969585a244ed7819bd787d640bd1561e7a6fabf6988476a
dd6c1c1b528f95923c4b501a1b603a28e00338dfa239cadbc8af87e441f047f8
61cd040366ea4116433848a0fab8e737da6e7e1f32f14176724bf8a5af49e3ca
05c29b1d96008476d28b42a13a4e34e81b628ef4d2bfb203d0075a247bb9431c
aa3e3d48245a2cf65e94a1388666b0741eacfff07847643e116428c10a94b5da
0a03baf24f95b30e16af210ce5f1289680c298b9797ec6abb8f5566c267c2a19
434e8427b603739452b1c7a3eb2f8a4b5014fcbe088bed9d3192c6a7693f7a7e
c3da2f9cdcec67c8bd8024c7f26f03fae9284125f11e795ffbfa8acba16803dc
26b15f744a235ceb9dfb6a6a91d5cb6218b0473bc8ec7028ccf6f2beaac43d48
53ad1aa3ff4f3dcb953f2e7560738f21c8cdadd91a61338e92b50a04943e01d6
a31748dd0aa6f53cbfa189bef070a2304e385ef18c0bab5672e039c4a12c41f7
34c4a0ba138c27572a6c7ef1af7dbdbcface5dcbe246f857e41516b8269b7fca
ec718f7c0b27972083cd3990267d68a2cebd76b6fcaa224c44f3b165d95125f3
bf10aaecc4a9bc8ac2c74f986ba4b3e5bfbb6af841cdae072a3df6234e735e1b
e215d95accde9eb5487f8a6fffb8591b78011cfa38b8a1bb3baa33126eeb4927
bcd4a12bc68a7507953e0adb700395338319b2888482eb6a65355170e029082c
b75c590c39f53c262df3e923a5766d3885f76841ad8216b99aadad9fac7e4a77
459fa2aa684e309efc142f42c8c0bd6fea3568264d5ba8dc5d773dad44448ca0
cee2f056a2ba2fa8ae563fd35b7e3fdb601c75f16a9dcae0b713cf9dcb705c49
dfb78e200895d26f83fe2213443acc79282987f6f56ef130741b460f07722bda
afed591813af06421614476445cbeb3562cbbf81dfb9abe73f31ffdd4e9a1424
ec8ec8b3234ceeefbf74b2dc4914d5d6f7685655f6f33f2226e2a1d80e7ad488
e04d1a737892c391a5097991fa53cf96910966bccc7844f5438f76cc686f3776
487d7ec49d8c5d8d53914ea9cced3aa35b77006271e5c3006c9cfa4ade6eb755
67fcfb7ee0a0c7105f6247a3ebe4d2a929778963fdbcd7ca5835986fd45b4077
381a973ed8a246d736f14be643616c79e19ea3b32b706ce48148d29492eabb8e
55a5544e47bde8e55701d7debcc178d4c65f7794c2fcc3bd2a7a4cce8f19f5ca
2fe59a0eaf50f0836f9ce92ef8a08f553c836421823c5b3067caf54dbc2f4e40
Malware family:
PhantomStealer
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2fe59a0eaf50/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_SliverFox_String
Create hunting rule
Author:huoji
Description:Detect files is `SliverFox` malware
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 2fe59a0eaf50f0836f9ce92ef8a08f553c836421823c5b3067caf54dbc2f4e40

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/68894/

Comments