MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4bf4ac4e76372cbe7e847257a054398146da9e93abc3c6ee8e444513d8d37fbc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4bf4ac4e76372cbe7e847257a054398146da9e93abc3c6ee8e444513d8d37fbc
SHA3-384 hash: f5141029cd2a9ba5b62f804c45540c1c526aa3c23c3d513f3d26e9013e91e14816abdaead35b10f9d18b85fb9187df4f
SHA1 hash: c3aef39692eef7ecc91a1ee1cfd30862758d44fd
MD5 hash: 21497194af936c2107eec5341ed0b1e9
humanhash: missouri-moon-speaker-glucose
File name:Invoice.r15
Download: download sample
Signature GuLoader
Create hunting rule
File size:361'926 bytes
First seen:2025-09-25 16:32:19 UTC
Last seen:2025-09-25 20:56:10 UTC
File type: rar
MIME type:application/x-rar
ssdeep 6144:ec+32JWRc5jrKb8M7elP3ce05FPq1i6uCbb0E/Hb2omDsSJmK6LCh1Wj1gxdQF:ecKbRcjlM7oP3ce0rN/Cn0gb8sgTgCs3
TLSH T1A37423CE1E9EC35AAB2CF6D4A2C472422817C7A85C5823D34D7498954B4FDB8D0EB9C7
TrID 58.3% (.RAR) RAR compressed archive (v-4.x) (7000/1)
41.6% (.RAR) RAR compressed archive (gen) (5000/1)
Magika rar
Reporter cocaman
Tags:GuLoader INVOICE payment r15 rar


Avatar
cocaman
Malicious email (T1566.001)
From: "qch@alliancesafety.com.sg" (likely spoofed)
Received: "from [91.92.242.11] (unknown [91.92.242.11]) "
Date: "26 Sep 2025 05:42:25 -0700"
Subject: "RE: RECONFIRM BANK DETAILS FOR PAYMENT"
Attachment: "Invoice.r15"

Intelligence

File Origin
# of uploads :
4
# of downloads :
95
Origin country :
CH CH
File Archive Information

This file archive contains 9 file(s), sorted by their relevance:

File name:indsbningernes.uku
File size:1'206 bytes
SHA256 hash: 8d8fb4646bf817f89b8b0b92ea22fbea7cde86f3adf0dc1c5b742c2c05a292be
MD5 hash: 4002eb52e2c3524d6fdb0d07bcb6ca12
MIME type:application/octet-stream
Signature GuLoader
File name:System.dll
File size:12'288 bytes
SHA256 hash: a44ca08afb3f6bafd76aa35c259f3d599fe34f6f49ea5118626c1c1a540b0f03
MD5 hash: 81e268e27dbbcadbf116b5a9402195ab
MIME type:application/x-dosexec
Signature GuLoader
File name:modern-wizard.bmp
File size:26'494 bytes
SHA256 hash: 3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2
MD5 hash: cbe40fd2b1ec96daedc65da172d90022
MIME type:image/bmp
Signature GuLoader
File name:Subspontaneously.Svi
File size:353'904 bytes
SHA256 hash: 6c02326bef9ff6a5d6e2bd668aa7dd219ca9c177fba2a8f2bf1f7b95f739d03f
MD5 hash: 944fdf521854dd603270a59f28917a2f
MIME type:application/octet-stream
Signature GuLoader
File name:nsDialogs.dll
File size:9'728 bytes
SHA256 hash: 7853be9190489ba84dae8232e9a967cec02d941732cb4137bc9ae6a392e89fb8
MD5 hash: 3fbd78c889fa40a2e5567b980c57b7db
MIME type:application/x-dosexec
Signature GuLoader
File name:Brevbakkens.Tje
File size:25'806 bytes
SHA256 hash: 471c0105b98ff1d3f706d59f1b1d23c44e01e75c5e6ed8dab85e7673fac9b174
MD5 hash: 53e60273d8c0aff2ed9df3931f59dd45
MIME type:application/octet-stream
Signature GuLoader
File name:jagerpiloters.une
File size:265 bytes
SHA256 hash: f48a4f8924a3401f361a026fb6cc29a0f49390636b8a93ad3e468edcf54268a5
MD5 hash: a8041bc00bb6c052fdff4904fae8dd8d
MIME type:application/octet-stream
Signature GuLoader
File name:BgImage.dll
File size:7'680 bytes
SHA256 hash: 68b17d8f988354adecd50d824568029ebd51d88293874ac2178cb49de2d763b7
MD5 hash: 4f2bc691e903d2cb134fb48a622df098
MIME type:application/x-dosexec
Signature GuLoader
File name:Invoice.bat
File size:382'970 bytes
SHA256 hash: e770d4bd2d65dbb979c56054b2ba5b2b6c862e8a55a9769c1c762dd73febe81c
MD5 hash: 55cf812788692306c413aad62ba65b6c
MIME type:application/x-dosexec
Signature GuLoader
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27154.Rar5Heur.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68d5537d1e4783989051f578
Tags:
injection blic
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context anti-debug blackhole installer masquerade microsoft_visual_cc nsis overlay
Link:
https://www.filescan.io/uploads/68d56ee074e5a28989934909/reports/59fb0223-6669-4d9a-a255-2f773b218172/overview
Verdict:
Suspicious
Labled as:
Mal/DrodRar
Link:
https://www.hybrid-analysis.com/sample/4bf4ac4e76372cbe7e847257a054398146da9e93abc3c6ee8e444513d8d37fbc
Verdict:
Malicious
File Type:
rar
First seen:
2025-09-25T13:13:00Z UTC
Last seen:
2025-09-25T13:13:00Z UTC
Hits:
~100
Detections:
Trojan.Win32.GuLoader.sb Trojan.Win32.GuLoader.dcy Trojan.NSIS.Pakes.Krynis.sb Trojan.NSIS.Makoob.sbb Trojan.NSIS.Makoob.sba VHO:Trojan.Win32.GuLoader.gen Trojan-Downloader.Win32.Minix.sb Packed.NSIS.Krynis.sb
Link:
https://opentip.kaspersky.com/4bf4ac4e76372cbe7e847257a054398146da9e93abc3c6ee8e444513d8d37fbc/results?tab=lookup
Verdict:
inconclusive
YARA:
2 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Rar Archive
Link:
https://app.malva.re/file/21497194af936c2107eec5341ed0b1e9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4bf4ac4e76372cbe7e847257a054398146da9e93abc3c6ee8e444513d8d37fbc/
Verdict:
Malicious
Threat:
Family.GULOADER
Link:
https://tip.neiki.dev/file/4bf4ac4e76372cbe7e847257a054398146da9e93abc3c6ee8e444513d8d37fbc
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2025-09-25 16:32:22 UTC
File Type:
Binary (Archive)
Extracted files:
9
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jp2kyttwg4wl47ueojl2avbzqfdnvhutvpb4n3uoircrhwgtp66a._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/4bf4ac4e76372cbe7e847257a054398146da9e93abc3c6ee8e444513d8d37fbc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

rar 4bf4ac4e76372cbe7e847257a054398146da9e93abc3c6ee8e444513d8d37fbc

(this sample)

GuLoader

Executable exe e770d4bd2d65dbb979c56054b2ba5b2b6c862e8a55a9769c1c762dd73febe81c

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 e770d4bd2d65dbb979c56054b2ba5b2b6c862e8a55a9769c1c762dd73febe81c
  
Dropping
MD5 55cf812788692306c413aad62ba65b6c

Comments