MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3515de6eccfc4e2b39dd34a21b1e7501673d598792b797907f40683ffb081592. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 16


Intelligence 16 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3515de6eccfc4e2b39dd34a21b1e7501673d598792b797907f40683ffb081592
SHA3-384 hash: 331d5427ac05ee958dd6d5f2341799a45525c065ae22196a78ece95ccf299ec9c358e817dafec4cdece0400752c06b39
SHA1 hash: 3239435bce0ae3bc86a4ee98f66758ab729cc075
MD5 hash: e0efcc7a2b3c2dd6a6508ca399a1177c
humanhash: sierra-alaska-oranges-burger
File name:Kyd.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:7'994'022 bytes
First seen:2026-01-29 20:54:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3abe302b6d9a1256e6a915429af4ffd2 (282 x GuLoader, 38 x Formbook, 25 x Loki)
ssdeep 196608:+JRzv4lwm2dKrw72yESoT5nJU93X9Nh6wG/SQ6x+f2cmNOFT:+wGmFrw7qtRJyPGqYyOT
Threatray 215 similar samples on MalwareBazaar
TLSH T1BA8633242185E8F3ECE47AF015F5A66DA6F57B20791C8C07C85DF019E901AEDE85F23A
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter aachum
Tags:dropped-by-OffLoader exe GuLoader


Avatar
iamaachum
IOCs:
alltipi.com
yumpinch.com

Intelligence

File Origin
# of uploads :
1
# of downloads :
113
Origin country :
ES ES
Vendor Threat Intelligence
Malware configuration found for:
NSIS
Details
Link:
https://research.acce.ciphertechsolutions.com/results/580f1bd3-bd8e-42f9-a5f0-19b4f85ddb92/
Malware family:
n/a
ID:
1
File name:
BIGFILMS 8211 INFERNO Pack Create Epic Blockbuster Scenes.exe
Verdict:
Malicious activity
Analysis date:
2026-01-29 20:29:19 UTC
Tags:
auto generic adware loader stealer offloader rust purelogs susp-powershell websocket python arch-exec arch-doc netreactor
Link:
https://app.any.run/tasks/5e571b8b-c90e-459e-9f15-0b429cb510ac

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=697bc90d6fa3eed16530688d
Tags:
autorun shell sage remo
Gathering data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug blackhole fingerprint installer installer installer-heuristic microsoft_visual_cc nsis soft-404
Link:
https://www.filescan.io/uploads/697bc904981ff1d38a40b453/reports/c404bf6f-dd9b-4202-b66f-ca743f8f2e42/overview
Verdict:
Malicious
Labled as:
TrojanRansom.Foreign.oecl
Link:
https://www.hybrid-analysis.com/sample/3515de6eccfc4e2b39dd34a21b1e7501673d598792b797907f40683ffb081592
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-01-29T18:20:00Z UTC
Last seen:
2026-01-29T18:52:00Z UTC
Hits:
~10
Detections:
PDM:Trojan.Win32.Generic HEUR:Trojan.Win32.PowerShell.gen HEUR:Trojan.MSIL.Agent.gen Trojan.MSIL.Agent.sb
Link:
https://opentip.kaspersky.com/3515de6eccfc4e2b39dd34a21b1e7501673d598792b797907f40683ffb081592/results?tab=lookup
Malware family:
NirSoft
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/c9debe46-d35a-48ad-a6e9-fac403a913f1
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1860131
Signature
Adds a directory exclusion to Windows Defender
Deletes itself after installation
Found strings related to Crypto-Mining
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Script Execution From Temp Folder
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1860131 Sample: Kyd.exe Startdate: 29/01/2026 Architecture: WINDOWS Score: 100 74 www.alltipi.com 2->74 76 ln-0007.ln-msedge.net 2->76 78 2 other IPs or domains 2->78 88 Multi AV Scanner detection for dropped file 2->88 90 Sigma detected: Scheduled temp file as task from temp location 2->90 92 Multi AV Scanner detection for submitted file 2->92 94 3 other signatures 2->94 9 Kyd.exe 1 72 2->9         started        13 svchost.exe 2->13         started        16 Signee.exe 2->16         started        18 9 other processes 2->18 signatures3 process4 dnsIp5 66 C:\Users\user\AppData\...\WebView2Loader.dll, PE32 9->66 dropped 68 C:\Users\user\AppData\...\WebView2Loader.dll, PE32+ 9->68 dropped 70 C:\Users\user\AppData\...\WebView2Loader.dll, PE32+ 9->70 dropped 72 15 other files (12 malicious) 9->72 dropped 104 Uses netsh to modify the Windows network and firewall settings 9->104 106 Modifies the windows firewall 9->106 108 Adds a directory exclusion to Windows Defender 9->108 20 Signee.exe 9->20         started        23 baghdad.exe 9->23         started        26 powershell.exe 23 9->26         started        28 13 other processes 9->28 80 127.0.0.1 unknown unknown 13->80 file6 signatures7 process8 file9 96 Multi AV Scanner detection for dropped file 20->96 30 msedgewebview2.exe 20->30         started        60 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 23->60 dropped 98 Uses schtasks.exe or at.exe to add and modify task schedules 23->98 33 schtasks.exe 23->33         started        100 Loading BitLocker PowerShell Module 26->100 35 conhost.exe 26->35         started        62 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 28->62 dropped 64 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 28->64 dropped 102 Deletes itself after installation 28->102 37 schtasks.exe 28->37         started        39 schtasks.exe 28->39         started        41 conhost.exe 28->41         started        43 6 other processes 28->43 signatures10 process11 signatures12 110 Found strings related to Crypto-Mining 30->110 45 msedgewebview2.exe 30->45         started        48 msedgewebview2.exe 30->48         started        50 msedgewebview2.exe 30->50         started        58 2 other processes 30->58 52 conhost.exe 33->52         started        54 conhost.exe 37->54         started        56 conhost.exe 39->56         started        process13 dnsIp14 82 13.91.96.185, 443, 49712 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 45->82 84 ln-0007.ln-msedge.net 150.171.22.17, 443, 49692, 49909 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 45->84 86 6 other IPs or domains 45->86
Score:
55%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/3515de6eccfc4e2b39dd34a21b1e7501673d598792b797907f40683ffb081592
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3515de6eccfc4e2b39dd34a21b1e7501673d598792b797907f40683ffb081592/
Verdict:
Malicious
Threat:
Trojan.MSIL.Agent
Link:
https://tip.neiki.dev/file/3515de6eccfc4e2b39dd34a21b1e7501673d598792b797907f40683ffb081592
Threat name:
Win32.Trojan.Nekark
Create hunting rule
Status:
Malicious
First seen:
2026-01-29 20:54:45 UTC
File Type:
PE (Exe)
Extracted files:
2191
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=guk543wm7rhcwoo5gsrbwhtvaftt2wmhsk3zped7ibud76yicwja._file
Verdict:
suspicious
Label(s):
admintool_iepassview
Create hunting rule
Similar samples:
196f5c0f88562bb0026f0d641102ef7bb74f2e6df1e2b00f9e8e5c164868f27a
GuLoader
3515de6eccfc4e2b39dd34a21b1e7501673d598792b797907f40683ffb081592
GuLoader
5c389fd05c531941417dbceabb2920eeff23035eceb55763e6f68703281dc632
GuLoader
d9901b16a93aad709947524379d572a7a7bf8e2741e27a1112c95977d4a6ea8c
GuLoader
error
GuLoader
+ 205 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery execution installer persistence privilege_escalation trojan upx
Link:
https://tria.ge/reports/260129-zp3yksf13c/
Behaviour
Enumerates system info in registry
Modifies data under HKEY_USERS
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
UPX packed file
Checks whether UAC is enabled
Network Share Discovery
ACProtect 1.3x - 1.4x DLL software
Deletes itself
Drops startup file
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Modifies Windows Firewall
Unpacked files
SH256 hash:
3515de6eccfc4e2b39dd34a21b1e7501673d598792b797907f40683ffb081592
MD5 hash:
e0efcc7a2b3c2dd6a6508ca399a1177c
SHA1 hash:
3239435bce0ae3bc86a4ee98f66758ab729cc075
Link:
https://www.unpac.me/results/891c8a59-2611-4a5a-95e5-3ccb18b9f42e/
SH256 hash:
480184452f80f632d70a41d259f5c014215c9f858ced981910c363fe573cc49f
MD5 hash:
a54db25f487ef61a667174fa55d0e8d2
SHA1 hash:
d97a4065013ebaf7fd6858d2cb4ab21016c32eee
Detections:
win_flawedammyy_auto
Create hunting rule
Link:
https://www.unpac.me/results/891c8a59-2611-4a5a-95e5-3ccb18b9f42e/
Parent samples :
63e8c18d647c49586bbea5bebed20a710bf669a3282846efbe053690e563c84b
35dab11414d17ad15b9992ba51ad57fc768fd3f4fc449d50fce08b2c46cbe270
cba8e79b90c98fe396da2d0243e1c98b13bdf586b8e60034be52fe6efdc42ce8
20343f047964ef95901941b2406ee66ec976e2d849abbe991f94b6a0fe634881
22a936860e45162049f713f1305e801899f8eb47a13fdb3504cf978a456efc16
588cdd2ac6167b34eaac919a31bf18ca7831183da6b1c2eccc5966808c2b3733
3515de6eccfc4e2b39dd34a21b1e7501673d598792b797907f40683ffb081592
SH256 hash:
9aa74aeb8856779c005653909d3cc75c1010e28e51d7f4ce23f4df3bb4bde976
MD5 hash:
d4e569c6247c5fc835b776b7a1c02e2a
SHA1 hash:
bebd37408e7e61d7511224ef92a93b1ab5bfc1a1
Link:
https://www.unpac.me/results/891c8a59-2611-4a5a-95e5-3ccb18b9f42e/
SH256 hash:
91251b00c73b52bdf6154e2c01641e3f0a4001700aaea6aa5344e3a564a9fe94
MD5 hash:
6d5ba29da9f27bcd61c9bec1a378429f
SHA1 hash:
6608051eaf3feb628b360ed7ccba9cce7cf0c719
Link:
https://www.unpac.me/results/891c8a59-2611-4a5a-95e5-3ccb18b9f42e/
SH256 hash:
a90f7228f305a7c789e3fa54d3345ab64bbb3da74c0078e6255e6138714a5c1f
MD5 hash:
3f9f6e4a84d7f2a657df324fa5c2cb22
SHA1 hash:
ab82f212c612299901b40b278fe4376c7b109fb4
Link:
https://www.unpac.me/results/891c8a59-2611-4a5a-95e5-3ccb18b9f42e/
SH256 hash:
5a17d3c3d844c3ccd484b422789a8a5df9517ad888a93bb4bd2bff8b8956436d
MD5 hash:
fa81ea462bb76153897e3ee26319db2a
SHA1 hash:
ffe54fa36d4e8de7af595af457b2d7e5b03d9623
Link:
https://www.unpac.me/results/891c8a59-2611-4a5a-95e5-3ccb18b9f42e/
SH256 hash:
063c3bb49d774e0738a2ec4cfa0355db08a72793947136cb162174742f44ba53
MD5 hash:
ec73ccd3368ceb251f6343fcf3c874a3
SHA1 hash:
b711d5c301416040bbac72cfe45f8c5d2afe2573
Link:
https://www.unpac.me/results/891c8a59-2611-4a5a-95e5-3ccb18b9f42e/
SH256 hash:
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
MD5 hash:
acc2b699edfea5bf5aae45aba3a41e96
SHA1 hash:
d2accf4d494e43ceb2cff69abe4dd17147d29cc2
Link:
https://www.unpac.me/results/891c8a59-2611-4a5a-95e5-3ccb18b9f42e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3515de6eccfc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3515de6eccfc4e2b39dd34a21b1e7501673d598792b797907f40683ffb081592

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GuLoader

Executable exe 3515de6eccfc4e2b39dd34a21b1e7501673d598792b797907f40683ffb081592

(this sample)

  
Link
https://tria.ge/260129-zfjhksfx3e/behavioral1
  
Dropped by
OffLoader
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/50749/

Comments