MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 696bafd93ca02c40be66c2a20b41f332a122df4fc0215f8fb0c6d3560f1602a7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 696bafd93ca02c40be66c2a20b41f332a122df4fc0215f8fb0c6d3560f1602a7
SHA3-384 hash: 9d1bbb3f06981418d3386b7694a3e46c64c9bb16418a6c5fd062123369841abe5c5a59e3b854cb24be670c1c5a5ae13f
SHA1 hash: 40d039b7a85c88e6502e20b610ea8c3f2e376322
MD5 hash: 029446cec84ba081a4e9dce40936f3ef
humanhash: mars-diet-carpet-freddie
File name:696bafd93ca02c40be66c2a20b41f332a122df4fc0215f8fb0c6d3560f1602a7
Download: download sample
Signature GuLoader
Create hunting rule
File size:943'640 bytes
First seen:2026-06-08 09:38:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9a16e282eba7cc710070c0586c947693 (37 x GuLoader, 15 x RemcosRAT, 11 x VIPKeylogger)
ssdeep 24576:jA7F8tSnMXcpwm7BllMeBEFmNZpJGSqQc3DKtbPik+e:jz1CwmBlrDHVSKtTik+e
TLSH T17C152399F335831EE866D37184BE8764CA7C6D68704A930F738A72913CA32DA45153FE
TrID 50.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
10.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.5% (.EXE) Win64 Executable (generic) (6522/11/2)
8.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 70e8f0d0f0f8f001 (6 x GuLoader, 1 x RemcosRAT)
Reporter adrian__luca
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
49
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
NSIS
Details
Link:
https://research.acce.ciphertechsolutions.com/results/d45b4300-1610-4ecb-87bc-cf02be0a89e2/
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69858/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a268e6dae2f98c00a68ca13
Tags:
injection uloader virus nsis
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Delayed reading of the file
Creating a file
Deleting a recently created file
Unauthorized injection to a recently created process
Restart of the analyzed sample
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug fingerprint guloader installer installer installer-heuristic microsoft_visual_cc nsis reconnaissance signed similar-threat
Link:
https://www.filescan.io/uploads/6a268e251f652d68656dc1f8/reports/cc07fa6b-a846-429e-8d1d-0f58ab9dfd74/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/696bafd93ca02c40be66c2a20b41f332a122df4fc0215f8fb0c6d3560f1602a7
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-05-13T00:06:00Z UTC
Last seen:
2026-06-04T16:05:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/696bafd93ca02c40be66c2a20b41f332a122df4fc0215f8fb0c6d3560f1602a7/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/bb77d7da-00c0-43ac-a98b-1f59d71fb9ed
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/696bafd93ca02c40be66c2a20b41f332a122df4fc0215f8fb0c6d3560f1602a7
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/696bafd93ca02c40be66c2a20b41f332a122df4fc0215f8fb0c6d3560f1602a7/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-05-13 03:24:16 UTC
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nfv27wj4uawebptgykrawqptgkqsfx2pyaqv7d5qy3jvmdywaktq._file
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader discovery downloader installer
Link:
https://tria.ge/reports/260608-lm6d2abw6j/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Contacts third-party web service commonly abused for C2
Loads dropped DLL
Family: Guloader,Cloudeye
Unpacked files
SH256 hash:
696bafd93ca02c40be66c2a20b41f332a122df4fc0215f8fb0c6d3560f1602a7
MD5 hash:
029446cec84ba081a4e9dce40936f3ef
SHA1 hash:
40d039b7a85c88e6502e20b610ea8c3f2e376322
Link:
https://www.unpac.me/results/40838101-45e6-4dbb-8256-24680d953430/
SH256 hash:
a44ca08afb3f6bafd76aa35c259f3d599fe34f6f49ea5118626c1c1a540b0f03
MD5 hash:
81e268e27dbbcadbf116b5a9402195ab
SHA1 hash:
bd2b701b2e5e279786e179bceee2dc132a2afc37
Link:
https://www.unpac.me/results/40838101-45e6-4dbb-8256-24680d953430/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/69858/

Comments