MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4974c7f703bc826a655d542c19dcf0e61c9e8c64b2ff7a2f981fdae8adac615. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 14

Intelligence 14 IOCs YARA 4 File information Comments

SHA256 hash:	b4974c7f703bc826a655d542c19dcf0e61c9e8c64b2ff7a2f981fdae8adac615
SHA3-384 hash:	fb0c6c0caa5e4e5434106fc3851ecc4383ad36ff7ddd9a317cd57dedde32dfbf4c2f68ae69824a85db975dd3d92c6ff8
SHA1 hash:	19bc6d54b65d7c2e886a4fd04b1f25763e05be59
MD5 hash:	17773da953115f9705fddd6463174749
humanhash:	quebec-wolfram-quiet-oscar
File name:	b4974c7f703bc826a655d542c19dcf0e61c9e8c64b2ff7a2f981fdae8adac615
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	583'384 bytes
First seen:	2025-11-06 10:14:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	46ce5c12b293febbeb513b196aa7f843 (35 x GuLoader, 21 x RemcosRAT, 5 x VIPKeylogger)
ssdeep	12288:YX4eIYT9HznBtOOLEx6YhLCdCgEMWevAnxVscgc801du:K4eIYZBxE06yVWevS6cBVu
Threatray	2'296 similar samples on MalwareBazaar
TLSH	T1C9C41290A2F4CC17EDD01A708DB960B6EEE7AE814284D3024766BD2F7E715B1EE13257
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
dhash icon	d022d8c8f28f80c0 (38 x GuLoader, 12 x VIPKeylogger, 6 x Formbook)
Reporter	adrian__luca
Tags:	exe GuLoader signed

Code Signing Certificate

Organisation:	Vouchers
Issuer:	Vouchers
Algorithm:	sha256WithRSAEncryption
Valid from:	2025-09-19T00:55:55Z
Valid to:	2026-09-19T00:55:55Z
Serial number:	1f3bc09f09ae4f07f96dc9af730d818377b7146e
Thumbprint Algorithm:	SHA256
Thumbprint:	cb6e75be0caf7da75a3925d0ded183e61359f4a062c5bca75ac99f9a5c2dc381
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

b4974c7f703bc826a655d542c19dcf0e61c9e8c64b2ff7a2f981fdae8adac615.exe

Verdict:

Malicious activity

Analysis date:

2025-11-06 10:16:58 UTC

Tags:

snake keylogger evasion telegram stealer ims-api generic

Link:

https://app.any.run/tasks/9d1ddb4f-a0d8-4791-ab89-31f260816ab9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/35635/

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=690c7506ea0f3e915c23796b

Tags:

injection injector virus

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Searching for the window

Creating a file

Delayed reading of the file

Sending a custom TCP request

Unauthorized injection to a recently created process

Restart of the analyzed sample

Gathering data

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/b4974c7f703bc826a655d542c19dcf0e61c9e8c64b2ff7a2f981fdae8adac615

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-10-09T10:28:00Z UTC

Last seen:

2025-11-06T05:32:00Z UTC

Hits:

~1000

Detections:

Trojan.Win32.GuLoader.sb Trojan.NSIS.Pakes.Krynis.sb PDM:Trojan.Win32.Generic VHO:Trojan-Downloader.Win32.Minix.gen Trojan-Downloader.Win32.Minix.sb Trojan-Downloader.Win32.Minix.cbr Trojan.NSIS.Makoob.sbb Trojan.NSIS.Makoob.sba Packed.NSIS.Krynis.sb

Link:

https://opentip.kaspersky.com/b4974c7f703bc826a655d542c19dcf0e61c9e8c64b2ff7a2f981fdae8adac615/results?tab=lookup

Malware family:

WinEdt Team

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/7bf3d58e-aa8b-4075-8ab8-0b006d968523

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/b4974c7f703bc826a655d542c19dcf0e61c9e8c64b2ff7a2f981fdae8adac615

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/17773da953115f9705fddd6463174749

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b4974c7f703bc826a655d542c19dcf0e61c9e8c64b2ff7a2f981fdae8adac615/

Verdict:

Malicious

Threat:

Family.SNAKE

Link:

https://tip.neiki.dev/file/b4974c7f703bc826a655d542c19dcf0e61c9e8c64b2ff7a2f981fdae8adac615

Threat name:

Win32.Trojan.GuLoader

Status:

Malicious

First seen:

2025-10-09 14:25:59 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 38 (44.74%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wsluy73qhpecnjsv2vbmdhopbzq4t2ggjmx7pixzqh625cw2yykq._file

Verdict:

malicious

Label(s):

cloudeye

GuLoader

519ffa69c89f1f6ca85fc80f08b9d2cb7b731cdd5ebff1cf3221a4e5d0c46582

GuLoader

545812664008d0b35cf61c15c79526b1d5d05aef886a3f85c9056570fbf13933

GuLoader

677fa0e6764f872b832bd199c317eb3f1c21ba43bedb239d9f5097836b9fb65c

GuLoader

b4974c7f703bc826a655d542c19dcf0e61c9e8c64b2ff7a2f981fdae8adac615

GuLoader

ec40add0f6f93d1ed5cc9a72fde905d55f17f394525fae57eb514a935a202660

GuLoader

error

GuLoader

+ 2'286 additional samples on MalwareBazaar

Result

Malware family:

vipkeylogger

Score:

10/10

Tags:

family:vipkeylogger collection discovery keylogger spyware stealer

Link:

https://tria.ge/reports/251106-l9rjdsvlhq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Windows directory

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Accesses Microsoft Outlook profiles

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

VIPKeylogger

Vipkeylogger family

Malware Config

C2 Extraction:

https://api.telegram.org/bot8146726698:AAFWaTbmHzUN6pYeLzCeWChw7iGzEwehNUA/sendMessage?chat_id=7607347686

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/55cd18fa-98e2-42cf-9a72-bec458ef7a32

Unpacked files

SH256 hash:

b4974c7f703bc826a655d542c19dcf0e61c9e8c64b2ff7a2f981fdae8adac615

MD5 hash:

17773da953115f9705fddd6463174749

SHA1 hash:

19bc6d54b65d7c2e886a4fd04b1f25763e05be59

Link:

https://www.unpac.me/results/ccb126de-a8b6-4d88-85c8-2079fa967c27/

SH256 hash:

8b4c47c4cf5e76ec57dd5a050d5acd832a0d532ee875d7b44f6cdaf68f90d37c

MD5 hash:

9b38a1b07a0ebc5c7e59e63346ecc2db

SHA1 hash:

97332a2ffcf12a3e3f27e7c05213b5d7faa13735

Link:

https://www.unpac.me/results/ccb126de-a8b6-4d88-85c8-2079fa967c27/

Malware family:

GuLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b4974c7f703b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b4974c7f703bc826a655d542c19dcf0e61c9e8c64b2ff7a2f981fdae8adac615

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Detect_NSIS_Nullsoft_Installer Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects NSIS installers by .ndata section + NSIS header string

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/35635/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample