MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ff71d6b1ba2c2ebe801611dedf98f7f62b0543fa356ed1e2827f244a2c55426. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ff71d6b1ba2c2ebe801611dedf98f7f62b0543fa356ed1e2827f244a2c55426
SHA3-384 hash: 9138a9e8374ef8d27249244b3dea849c517c34300c4463c17ceb80d6aecb8b07c934b74785bf3947b2d557828708e7c5
SHA1 hash: 1f5f4885a9dbfd059be070e32a755ed39f9cb586
MD5 hash: 0dba23836d7499fbee10b0ee8a6db1ec
humanhash: emma-kilo-salami-paris
File name:2ff71d6b1ba2c2ebe801611dedf98f7f62b0543fa356ed1e2827f244a2c55426
Download: download sample
Signature GuLoader
Create hunting rule
File size:382'165 bytes
First seen:2025-11-06 11:33:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (562 x GuLoader, 120 x RemcosRAT, 82 x EpsilonStealer)
ssdeep 6144:A5lz/p8q/FCJr3dtVgDy2JFvIQiBPnnHkfjxfKChUsLAIcucBq8txqPYzNnBi+Q:QfD/krdUFvIQiRHkfR2IcBLlzNBnQ
Threatray 2'265 similar samples on MalwareBazaar
TLSH T13A84126532B6C053F2655AB04D37CE76BBF960241490A7570B91FB1C3F23393A9293AE
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter adrian__luca
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
119
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
justificante de la transferencia -484787845457.exe
Verdict:
Malicious activity
Analysis date:
2025-10-28 12:27:20 UTC
Tags:
evasion snake keylogger telegram stealer ims-api generic
Link:
https://app.any.run/tasks/b8eb98ab-7186-403e-8cfa-5d6cbe24ffcd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/36237/
Detection(s):
SecuriteInfo.com.Trojan.Multi.Generic.4c.11520.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=690c87c0ea0f3e915c2391f5
Tags:
shellcode virus blic
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file
Creating a file in the %AppData% subdirectories
Delayed reading of the file
Creating a file in the %temp% subdirectories
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Gathering data
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/2ff71d6b1ba2c2ebe801611dedf98f7f62b0543fa356ed1e2827f244a2c55426
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-28T08:37:00Z UTC
Last seen:
2025-11-08T08:30:00Z UTC
Hits:
~10000
Link:
https://opentip.kaspersky.com/2ff71d6b1ba2c2ebe801611dedf98f7f62b0543fa356ed1e2827f244a2c55426/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0c7a6ddc-d84a-4797-9529-d955c1c7f858
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2ff71d6b1ba2c2ebe801611dedf98f7f62b0543fa356ed1e2827f244a2c55426
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/0dba23836d7499fbee10b0ee8a6db1ec
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2ff71d6b1ba2c2ebe801611dedf98f7f62b0543fa356ed1e2827f244a2c55426/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2025-10-28 11:10:58 UTC
File Type:
PE (Exe)
Extracted files:
22
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f73r22y3ulbox2abmeo636mpp5rlavb7unlo2hrie7zejiwfkqta._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
07f443bca50ef0a5605591e31830f4e14c9b5c1c6d392bc0f12057f88ad4ae5e
GuLoader
17c85a64041b0a442cebc9dacd04fb0742ff04939ba716f996f532ff0ff9e592
GuLoader
1a4cab1c991579baa05662fdccdedf26c2e6b2fc919b38d72120cafe1fca0ba2
GuLoader
5ca2ad629da920bdd3ee4316019a390d254df0bda2918e9fd57ff623d7fba5a3
GuLoader
5cb34177d0289e9737e5a261b8d1aac227656b96c768f789d6fcc9bc20adb05e
GuLoader
83bd9f07e37c9fd55414bc9c0ded6fc63888ba912216d41a50811a819649ac7a
GuLoader
abd99bf17b7cf13044a064cfd6d73d38a19706ba46222e05e4893b188fbe9cd9
GuLoader
beecd658bfb84b9c4be5988df3743d231c405bc7ef8dce0a0eb5bbce668c7760
GuLoader
d012a92e43408d373db49ebc99461bf4dbbbd0ab1f7d07d0f96650ea849ac147
GuLoader
error
GuLoader
f6469663f0a38647f54764309023eefa956a37e381b7b6fabe2882b75464bd8b
GuLoader
+ 2'255 additional samples on MalwareBazaar
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:vipkeylogger collection discovery downloader keylogger spyware stealer
Link:
https://tria.ge/reports/251106-npnccawnfn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses Microsoft Outlook profiles
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Guloader family
Guloader,Cloudeye
VIPKeylogger
Vipkeylogger family
Malware Config
C2 Extraction:
https://api.telegram.org/bot8336320989:AAHlvvvR_j7LbBk-dC5wj9m5Wj5aFXSPK7M/sendMessage?chat_id=7618581100
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/77cbaca5-d054-48e7-b98c-8ebea25717ab
Unpacked files
SH256 hash:
6f14c8f01f50a30743dac68c5ac813451463dfb427eb4e35fcdfe2410e1a913b
MD5 hash:
ab1db56369412fe8476fefffd11e4cc0
SHA1 hash:
daad036a83b2ee2fa86d840a34a341100552e723
Link:
https://www.unpac.me/results/c8a5894a-dd61-4799-b4ec-f1b5d11b98f8/
SH256 hash:
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
MD5 hash:
0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 hash:
48df0911f0484cbe2a8cdd5362140b63c41ee457
Link:
https://www.unpac.me/results/c8a5894a-dd61-4799-b4ec-f1b5d11b98f8/
SH256 hash:
2ff71d6b1ba2c2ebe801611dedf98f7f62b0543fa356ed1e2827f244a2c55426
MD5 hash:
0dba23836d7499fbee10b0ee8a6db1ec
SHA1 hash:
1f5f4885a9dbfd059be070e32a755ed39f9cb586
Link:
https://www.unpac.me/results/c8a5894a-dd61-4799-b4ec-f1b5d11b98f8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2ff71d6b1ba2c2ebe801611dedf98f7f62b0543fa356ed1e2827f244a2c55426

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/36237/

Comments