MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c90b846cc5845b9f5ad7dd14d88d42e1d7b6093094b672ec679ef232ea694698. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 16

Intelligence 16 IOCs YARA 3 File information Comments

SHA256 hash:	c90b846cc5845b9f5ad7dd14d88d42e1d7b6093094b672ec679ef232ea694698
SHA3-384 hash:	6c1f04a81f47d40fd6e2b501214ea70c2842b6c121be83e008187345d463c232a8431a711745cf4fdc744a436e5ea215
SHA1 hash:	9f762e457def482b0cf4be442f9a698ada6687fb
MD5 hash:	1886ea02a91bcf9e98a7162669a3807d
humanhash:	pip-potato-two-indigo
File name:	c90b846cc5845b9f5ad7dd14d88d42e1d7b6093094b672ec679ef232ea694698
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	377'656 bytes
First seen:	2025-09-24 03:34:23 UTC
Last seen:	2025-09-24 07:01:36 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	1f23f452093b5c1ff091a2f9fb4fa3e9 (276 x GuLoader, 36 x RemcosRAT, 23 x AgentTesla)
ssdeep	6144:qp+ggLD0giHFUpUl+BoOPZdByi+ItlTTtnHnSeKGLRSbHVfGjCXE3bpvguwUT:m8D9iUpUl+BoWoOTtnHn+GL8b1fFEtwY
Threatray	4'308 similar samples on MalwareBazaar
TLSH	T1B38423452191CD73CEAD8AF0567B6B6B2FABA9240D20CB539782CE3C6835392D44CFD1
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	JAMESWT_WT
Tags:	exe GuLoader signed

Code Signing Certificate

Organisation:	Klichwmfyldt
Issuer:	Klichwmfyldt
Algorithm:	sha256WithRSAEncryption
Valid from:	2025-09-19T06:48:01Z
Valid to:	2026-09-19T06:48:01Z
Serial number:	5a01180522d295a5bdb7ddf0ac657fdd24925ea1
Thumbprint Algorithm:	SHA256
Thumbprint:	ea8cf587c9848af2e4c284755013d9266fdeec540b4b86403200ac0e102097a9
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

106

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

c90b846cc5845b9f5ad7dd14d88d42e1d7b6093094b672ec679ef232ea694698

Verdict:

Malicious activity

Analysis date:

2025-09-24 03:39:24 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/c2ba3367-e94c-4bbc-9cd0-7b32610357db

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/28718/

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68d53c8e1e4783989051cb25

Tags:

uloader virus nsis blic

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a custom TCP request

Creating a file in the %temp% directory

Creating a window

Searching for the window

Creating a file in the %AppData% subdirectories

Creating a file

Delayed reading of the file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

adaptive-context anti-debug blackhole guloader installer microsoft_visual_cc nemesis nsis overlay signed unsafe

Link:

https://www.filescan.io/uploads/68d366c6c24f53840f2fd805/reports/da96220d-f494-428c-a2aa-c2f1a309b5c0/overview

Verdict:

Malicious

Labled as:

Injector.XQFJ

Link:

https://www.hybrid-analysis.com/sample/c90b846cc5845b9f5ad7dd14d88d42e1d7b6093094b672ec679ef232ea694698

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-09-23T21:16:00Z UTC

Last seen:

2025-09-23T21:16:00Z UTC

Hits:

~1000

Detections:

Packed.NSIS.Krynis.sb Trojan.Win32.GuLoader.sb Trojan.NSIS.Pakes.Krynis.sb HEUR:Trojan.Win32.GuLoader.gen Trojan.NSIS.Makoob.sba

Link:

https://opentip.kaspersky.com/c90b846cc5845b9f5ad7dd14d88d42e1d7b6093094b672ec679ef232ea694698/results?tab=lookup

Malware family:

Unlabeled

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/681bb3d3-194c-4478-a800-b1b5e8fa63c2

Score:

98%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/c90b846cc5845b9f5ad7dd14d88d42e1d7b6093094b672ec679ef232ea694698

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/1886ea02a91bcf9e98a7162669a3807d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c90b846cc5845b9f5ad7dd14d88d42e1d7b6093094b672ec679ef232ea694698/

Verdict:

Malicious

Threat:

Family.GULOADER

Link:

https://tip.neiki.dev/file/c90b846cc5845b9f5ad7dd14d88d42e1d7b6093094b672ec679ef232ea694698

Threat name:

Win32.Trojan.NsisInject

Status:

Malicious

First seen:

2025-09-24 01:38:50 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 37 (48.65%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zefyi3gfqrnz6wwx3uknrdkc4hl3mcjqss3hf3dht3zdf2tji2ma._file

Result

Malware family:

guloader

Score:

10/10

Tags:

family:guloader discovery downloader

Link:

https://tria.ge/reports/250924-d5p6rsbj9z/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Drops file in Windows directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Loads dropped DLL

Guloader family

Guloader,Cloudeye

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/5efb7fbf-0fc3-4de0-8c51-d094561253a9

Unpacked files

SH256 hash:

c90b846cc5845b9f5ad7dd14d88d42e1d7b6093094b672ec679ef232ea694698

MD5 hash:

1886ea02a91bcf9e98a7162669a3807d

SHA1 hash:

9f762e457def482b0cf4be442f9a698ada6687fb

Link:

https://www.unpac.me/results/7150bbbe-99d8-440f-bf9e-a60f34046691/

SH256 hash:

a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

MD5 hash:

75ed96254fbf894e42058062b4b4f0d1

SHA1 hash:

996503f1383b49021eb3427bc28d13b5bbd11977

Link:

https://www.unpac.me/results/7150bbbe-99d8-440f-bf9e-a60f34046691/

Malware family:

GuLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c90b846cc584/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.52

Link:

https://yomi.yoroi.company/submissions/c90b846cc5845b9f5ad7dd14d88d42e1d7b6093094b672ec679ef232ea694698

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	Detect_NSIS_Nullsoft_Installer Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects NSIS installers by .ndata section + NSIS header string

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/28718/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample