MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f4c77ecb24e86f2ac41e31e87b17fbe329e31750b1cb2fb7d514975d194d693. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f4c77ecb24e86f2ac41e31e87b17fbe329e31750b1cb2fb7d514975d194d693
SHA3-384 hash: 6d367357e224538bdc16d17694d873108a1af0fbb8fb0314419434e6db15878fb566ae8ff40241bd64230478f6ad7818
SHA1 hash: 39589b4ac082393d0c15c2ba9b9c39553c817d51
MD5 hash: ed69a12592a9d8145d33a560678fed15
humanhash: saturn-uniform-queen-bacon
File name:SecuriteInfo.com.Gen.Variant.Nemesis.47125.6004.30364
Download: download sample
Signature GuLoader
Create hunting rule
File size:433'056 bytes
First seen:2026-02-04 12:50:54 UTC
Last seen:2026-02-04 13:43:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (541 x GuLoader, 116 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 12288:UecGGRUO0k8jY/7RSd9zIo7SFe6hOFxrs:Ue1GRUnjYId9pnxFxQ
TLSH T15994F1113386D547DEED02B144AF86EE0E72AF7BA9858B47F380F62E7DB26C57918110
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter SecuriteInfoCom
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:misled
Issuer:misled
Algorithm:sha256WithRSAEncryption
Valid from:2026-01-27T11:41:49Z
Valid to:2027-01-27T11:41:49Z
Serial number: 40273bb79d648659022fa6bd9cff3bec18373be1
Thumbprint Algorithm:SHA256
Thumbprint: c7dcbcf06823a9df7f8ec6ec8176bc156515aa68ead39d9342d29fe15a931a63
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
115
Origin country :
FR FR
Vendor Threat Intelligence
Malware configuration found for:
GuLoader NSIS
Details
GuLoader
a c2 URL, a useragent string, and a string XOR key
GuLoader
an XOR decryption key and an extracted component
NSIS
extracted archive contents
Link:
https://research.acce.ciphertechsolutions.com/results/73966140-6703-4704-bfbc-b8a565fca96a/
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Gen.Variant.Nemesis.47125.6004.30364
Verdict:
Malicious activity
Analysis date:
2026-02-04 12:52:08 UTC
Tags:
auto-reg phantom stealer crypto-regex evasion
Link:
https://app.any.run/tasks/181b9376-7f9d-48e4-a5ec-8e0322bbc362

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/51686/
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=698340c86b1af47db72ccbff
Tags:
injection obfusc crypt
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context anti-debug blackhole installer installer installer-heuristic microsoft_visual_cc nsis signed soft-404
Link:
https://www.filescan.io/uploads/698340c52ffccda09767c862/reports/1dde05f5-0063-43cd-b41e-4ad4fd629665/overview
Verdict:
Suspicious
Labled as:
Trojan.VTYZ
Link:
https://www.hybrid-analysis.com/sample/9f4c77ecb24e86f2ac41e31e87b17fbe329e31750b1cb2fb7d514975d194d693
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-02-04T09:15:00Z UTC
Last seen:
2026-02-05T05:57:00Z UTC
Hits:
~100
Detections:
Trojan.NSIS.Makoob.sbb Trojan.NSIS.Makoob.sba HEUR:Trojan.Win32.Guloader.gen Trojan-Downloader.Win32.Minix.sb Trojan.Win32.Guloader.sb
Link:
https://opentip.kaspersky.com/9f4c77ecb24e86f2ac41e31e87b17fbe329e31750b1cb2fb7d514975d194d693/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8dee2a8f-c71d-4b2e-bdd8-833431813ce6
Score:
81%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9f4c77ecb24e86f2ac41e31e87b17fbe329e31750b1cb2fb7d514975d194d693
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/ed69a12592a9d8145d33a560678fed15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9f4c77ecb24e86f2ac41e31e87b17fbe329e31750b1cb2fb7d514975d194d693/
Verdict:
Malicious
Threat:
Family.PHANTOM_STEALER
Link:
https://tip.neiki.dev/file/9f4c77ecb24e86f2ac41e31e87b17fbe329e31750b1cb2fb7d514975d194d693
Threat name:
Win32.Trojan.Nemesis
Create hunting rule
Status:
Malicious
First seen:
2026-02-04 12:51:43 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
10 of 36 (27.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t5ghp3fsj2dpflcb4mpipml7xyzj4mlvbmolf635kfexlumu22jq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
error
GuLoader
Result
Malware family:
phantom_stealer
Create hunting rule
Score:
  10/10
Tags:
family:phantom_stealer collection discovery persistence spyware stealer
Link:
https://tria.ge/reports/260204-p3j3hsb16h/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses Microsoft Outlook profiles
Adds Run key to start application
Contacts third-party web service commonly abused for C2
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Detects PhantomStealer payload
PhantomStealer
Phantom_stealer family
Unpacked files
SH256 hash:
9f4c77ecb24e86f2ac41e31e87b17fbe329e31750b1cb2fb7d514975d194d693
MD5 hash:
ed69a12592a9d8145d33a560678fed15
SHA1 hash:
39589b4ac082393d0c15c2ba9b9c39553c817d51
Link:
https://www.unpac.me/results/7d41f8d0-6fba-4c26-9891-76ef0bb9c696/
SH256 hash:
86c8ee210e6611383a634dcb8c60455063ddae3d7adccbeacf3adf7bf2a46676
MD5 hash:
d2e45dd852a659e11897df573832f381
SHA1 hash:
19990ee627c95b6c18d3b5c5f0ec5c24791d0af5
Link:
https://www.unpac.me/results/7d41f8d0-6fba-4c26-9891-76ef0bb9c696/
SH256 hash:
c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
MD5 hash:
9625d5b1754bc4ff29281d415d27a0fd
SHA1 hash:
80e85afc5cccd4c0a3775edbb90595a1a59f5ce0
Link:
https://www.unpac.me/results/7d41f8d0-6fba-4c26-9891-76ef0bb9c696/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9f4c77ecb24e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9f4c77ecb24e86f2ac41e31e87b17fbe329e31750b1cb2fb7d514975d194d693

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/51686/

Comments