MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df4287799941b5237770c16ee332ad03f44159df85958583ded5a774496d215f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: df4287799941b5237770c16ee332ad03f44159df85958583ded5a774496d215f
SHA3-384 hash: 5aab3778f3152e93c46dfbfe5d3fb5ca9b4741353f2bef1d498132efc855e783456905257e63567136a6891ba0d8eb2e
SHA1 hash: 943d722e5b2d1b61f51818f5e9692cc05645562e
MD5 hash: bd1d5a4a7a5b37684f8be98bfaba775b
humanhash: crazy-sweet-charlie-mango
File name:JUSTIFICANTE DE TRANSFERENCIA.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:878'384 bytes
First seen:2025-03-04 07:48:34 UTC
Last seen:2025-03-04 08:19:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4f67aeda01a0484282e8c59006b0b352 (51 x GuLoader, 9 x RemcosRAT, 9 x VIPKeylogger)
ssdeep 24576:dhRk/kAdQK7LS4S6l2/P3g9ggHqGuiPBxjM4+rV:dhRk/kRK7Ltl+glqdhrV
Threatray 240 similar samples on MalwareBazaar
TLSH T1ED1501C0F9C01BD6EAF70BBA02A57615E5379E69571BC20F9A377A1589333C611238A3
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter lowmal3
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:Steakes
Issuer:Steakes
Algorithm:sha256WithRSAEncryption
Valid from:2024-07-24T08:52:41Z
Valid to:2025-07-24T08:52:41Z
Serial number: 3d49f56e07ed10670ab665d041543ef4569f3194
Thumbprint Algorithm:SHA256
Thumbprint: bd5bdff30197ac1cdc760dffdcc2402986f7c512156e0f255088e9cbb622919b
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
451
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
JUSTIFICANTE DE TRANSFERENCIA.exe
Verdict:
Malicious activity
Analysis date:
2025-03-04 07:53:02 UTC
Tags:
snake keylogger evasion telegram stealer
Link:
https://app.any.run/tasks/1daeee01-32c6-4db0-92f8-cca1a92329c5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.FileRepMalware.11805.5216.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67c6b189c668b65489bee260
Tags:
injection virus agent nsis
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Searching for the window
Searching for the Windows task manager window
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/df4287799941b5237770c16ee332ad03f44159df85958583ded5a774496d215f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/b86b3f6a-c6c3-44c0-89b4-31a946d1fd45
Result
Threat name:
GuLoader, Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1628881
Signature
AI detected suspicious PE digital signature
Early bird code injection technique detected
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected GuLoader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1628881 Sample: JUSTIFICANTE DE TRANSFERENCIA.exe Startdate: 04/03/2025 Architecture: WINDOWS Score: 100 29 reallyfreegeoip.org 2->29 31 api.telegram.org 2->31 33 4 other IPs or domains 2->33 49 Suricata IDS alerts for network traffic 2->49 51 Found malware configuration 2->51 53 Multi AV Scanner detection for submitted file 2->53 59 6 other signatures 2->59 8 JUSTIFICANTE DE TRANSFERENCIA.exe 1 41 2->8         started        signatures3 55 Tries to detect the country of the analysis system (by using the IP) 29->55 57 Uses the Telegram API (likely for C&C communication) 31->57 process4 file5 21 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 8->21 dropped 23 C:\Users\user\AppData\...\Demirilievo.Cli, Unicode 8->23 dropped 11 powershell.exe 29 8->11         started        process6 file7 25 C:\Users\user\AppData\Local\Temp\Bearm.exe, PE32 11->25 dropped 27 C:\Users\user\...\Bearm.exe:Zone.Identifier, ASCII 11->27 dropped 61 Early bird code injection technique detected 11->61 63 Writes to foreign memory regions 11->63 65 Found suspicious powershell code related to unpacking or dynamic code loading 11->65 67 3 other signatures 11->67 15 Bearm.exe 15 8 11->15         started        19 conhost.exe 11->19         started        signatures8 process9 dnsIp10 35 checkip.dyndns.com 132.226.8.169, 49975, 49979, 49981 UTMEMUS United States 15->35 37 api.telegram.org 149.154.167.220, 443, 49994 TELEGRAMRU United Kingdom 15->37 39 3 other IPs or domains 15->39 41 Multi AV Scanner detection for dropped file 15->41 43 Tries to steal Mail credentials (via file / registry access) 15->43 45 Tries to harvest and steal browser information (history, passwords, etc) 15->45 47 Switches to a custom stack to bypass stack traces 15->47 signatures11
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/df4287799941b5237770c16ee332ad03f44159df85958583ded5a774496d215f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/df4287799941b5237770c16ee332ad03f44159df85958583ded5a774496d215f/
Threat name:
Win32.Ransomware.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2025-03-04 05:59:40 UTC
File Type:
PE (Exe)
Extracted files:
15
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=35bio6mzig2sg53qyfxogmvnap2ecwo7qwkyla662wtxislnefpq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
148237f9c4b6906c80648e003ddacbf53aafcd9dc468d21c7513e217fdac0907
GuLoader
77c4f594258231719c09648471ba0285615444a0ad942b38384a0beac52003b3
GuLoader
884b8012c2cb8a230edc7b99dc6b3e345977421f5a2434b286ac70d2900de6f6
GuLoader
924b0124cf3bab75460848e2beacd4562367d4faf4df3f55c8d9333c6bac69d9
GuLoader
cee3ae54c0f49335db69551733260a6e0bb7f72089b126b14a09d44722bbdc8f
GuLoader
da2bc53b2715ed2d46c9ffdb184a3f926269e983981a266a7442b3e7ff6b584c
GuLoader
df4287799941b5237770c16ee332ad03f44159df85958583ded5a774496d215f
GuLoader
error
GuLoader
f459c492671666638899a5c5d716538ecff3516338e5cea64e5d53fa421ec2ba
GuLoader
+ 230 additional samples on MalwareBazaar
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger collection discovery execution keylogger persistence spyware stealer
Link:
https://tria.ge/reports/250304-jns4zsvpx7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
NSIS installer
Browser Information Discovery
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses Microsoft Outlook profiles
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
VIPKeylogger
Vipkeylogger family
Verdict:
Malicious
Tags:
loader guloader
YARA:
NSIS_GuLoader_July_2024
Link:
https://app.threat.zone/submission/4b8aa041-d675-45e0-9042-5e068c0dd841
Unpacked files
SH256 hash:
df4287799941b5237770c16ee332ad03f44159df85958583ded5a774496d215f
MD5 hash:
bd1d5a4a7a5b37684f8be98bfaba775b
SHA1 hash:
943d722e5b2d1b61f51818f5e9692cc05645562e
Link:
https://www.unpac.me/results/c0f6bc3a-59bc-46a0-bc00-4229e757a3c6/
SH256 hash:
1ee2a7f624300b44919fc9c9c3210e85b290e8d67af7aada4c7d5ad872b0a7cf
MD5 hash:
38426fb80294933b4162b5af73f5e55c
SHA1 hash:
0cb85f18ed67785787e14d1c2f4af74fb74ba257
Detections:
win_flawedammyy_auto
Create hunting rule
Link:
https://www.unpac.me/results/c0f6bc3a-59bc-46a0-bc00-4229e757a3c6/
Parent samples :
0d9f53718f16418097acb807b8838d71e12c146fd56282e6af61ee619b13543f
b9cfefd4ea68622813c00be6fafd0cde7eef1e0c5ef4733e4c1fc830e291a401
0cb6636748ff6a60ebf1a4644a7b4c877f8a19edd8c7a2eac10b34d1bd7cbfbf
482f10e5f1825368c6cdacf482febf39ed6d035ce866aded813d18890cf86dca
199bd66bf9f7b299ebf9068feb2e8648404097e26f86cabc5462973769d24df5
f2a42302b9c4f3e6c1e2e5d15dfa09cb41aad80ebc13678c4a412f77d4141ca0
ea3c63e01dc18acb8940dbbe5bec6c3cdcb6c117b6a213b9e7e02c11caeabee0
dfee1fc781f6414edcd5fe23fd87e05ff7940ff6f02c409e5f8ba9bbd34b0c04
e67f384ddb1a0b165cbae4c93eec8eb1bd718e51a9ff5d24b0980d867b20c53c
924b0124cf3bab75460848e2beacd4562367d4faf4df3f55c8d9333c6bac69d9
a2be0d024f1ed07193631fd4bcf91b224685a2624a3396dedbed5d071c29889f
95323c9bb093c53279d123225ec3cc23fc4647123f5aa8e24165c0d786302918
3297362893dcf07dc882d828230179304619d53c9c4d24d948638063aef0c3ba
884b8012c2cb8a230edc7b99dc6b3e345977421f5a2434b286ac70d2900de6f6
77c4f594258231719c09648471ba0285615444a0ad942b38384a0beac52003b3
df4287799941b5237770c16ee332ad03f44159df85958583ded5a774496d215f
148237f9c4b6906c80648e003ddacbf53aafcd9dc468d21c7513e217fdac0907
dbb1b72f8b5a3fa401efb17d845e493b38d9cfb6982043fb105911cf50ed2691
8fa0116efbd18a4d7be8be0aae4bdabae5934e86d923f5db6bb8ef3a916b3101
32fe770e37884a2ac6c7b1e58f7d201a74326bae4fd9be175a863d595d2b5e64
aac3fec4d80c553b1363368571f2a81eb024722e1ed15ea467b61114e4f41801
64d0d2e222aa3df131dec45f6b144eb84b53be1225d51d095d162e77ddf6b65e
0466bdb3e90fa7ebd14ce2fb273184ca7440870f95ac0a799a743068db287682
88506eb76f662586301e6ace5b67539d572db820a37a32a0caa86bc699b141de
09056dfe7f32e33b9cc197f32dc69a535172badab6bc3609dc9da6f550805ebe
610a299416691ffe632031628904d8a35598a41e1c11c957edc2701943872c47
fd798f121b63d34deb90349c1c3f5077b5784c6f6741c67f68076bb6521c823b
62d150df842ec71b2b753ea968e0ff12048563e6fb69f6319622c3579ac0384f
2870296df6458543b943f6fbb06d2ad5e45c37741f7520ec0b6c4a3effe2d7d2
32085187f12f0c5e7457941a15907deb585d546eb2ddb97dcae9cc49258f7fcd
SH256 hash:
7fafaf28fa6eb7604c61ef816cdd3e5097a0e17695bef0bf9116b6558aa68967
MD5 hash:
ae164b9dd3591a987b0d71dc255c4654
SHA1 hash:
41198cb28a31a0ffc3d14540e61a4840800681cc
Detections:
win_flawedammyy_auto
Create hunting rule
Link:
https://www.unpac.me/results/c0f6bc3a-59bc-46a0-bc00-4229e757a3c6/
Parent samples :
0d9f53718f16418097acb807b8838d71e12c146fd56282e6af61ee619b13543f
b9cfefd4ea68622813c00be6fafd0cde7eef1e0c5ef4733e4c1fc830e291a401
0cb6636748ff6a60ebf1a4644a7b4c877f8a19edd8c7a2eac10b34d1bd7cbfbf
482f10e5f1825368c6cdacf482febf39ed6d035ce866aded813d18890cf86dca
199bd66bf9f7b299ebf9068feb2e8648404097e26f86cabc5462973769d24df5
f2a42302b9c4f3e6c1e2e5d15dfa09cb41aad80ebc13678c4a412f77d4141ca0
ea3c63e01dc18acb8940dbbe5bec6c3cdcb6c117b6a213b9e7e02c11caeabee0
dfee1fc781f6414edcd5fe23fd87e05ff7940ff6f02c409e5f8ba9bbd34b0c04
e67f384ddb1a0b165cbae4c93eec8eb1bd718e51a9ff5d24b0980d867b20c53c
924b0124cf3bab75460848e2beacd4562367d4faf4df3f55c8d9333c6bac69d9
a2be0d024f1ed07193631fd4bcf91b224685a2624a3396dedbed5d071c29889f
95323c9bb093c53279d123225ec3cc23fc4647123f5aa8e24165c0d786302918
3297362893dcf07dc882d828230179304619d53c9c4d24d948638063aef0c3ba
884b8012c2cb8a230edc7b99dc6b3e345977421f5a2434b286ac70d2900de6f6
77c4f594258231719c09648471ba0285615444a0ad942b38384a0beac52003b3
df4287799941b5237770c16ee332ad03f44159df85958583ded5a774496d215f
148237f9c4b6906c80648e003ddacbf53aafcd9dc468d21c7513e217fdac0907
dbb1b72f8b5a3fa401efb17d845e493b38d9cfb6982043fb105911cf50ed2691
8fa0116efbd18a4d7be8be0aae4bdabae5934e86d923f5db6bb8ef3a916b3101
32fe770e37884a2ac6c7b1e58f7d201a74326bae4fd9be175a863d595d2b5e64
aac3fec4d80c553b1363368571f2a81eb024722e1ed15ea467b61114e4f41801
64d0d2e222aa3df131dec45f6b144eb84b53be1225d51d095d162e77ddf6b65e
0466bdb3e90fa7ebd14ce2fb273184ca7440870f95ac0a799a743068db287682
88506eb76f662586301e6ace5b67539d572db820a37a32a0caa86bc699b141de
09056dfe7f32e33b9cc197f32dc69a535172badab6bc3609dc9da6f550805ebe
610a299416691ffe632031628904d8a35598a41e1c11c957edc2701943872c47
fd798f121b63d34deb90349c1c3f5077b5784c6f6741c67f68076bb6521c823b
62d150df842ec71b2b753ea968e0ff12048563e6fb69f6319622c3579ac0384f
2870296df6458543b943f6fbb06d2ad5e45c37741f7520ec0b6c4a3effe2d7d2
32085187f12f0c5e7457941a15907deb585d546eb2ddb97dcae9cc49258f7fcd
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/df4287799941b5237770c16ee332ad03f44159df85958583ded5a774496d215f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_SliverFox_String
Create hunting rule
Author:huoji
Description:Detect files is `SliverFox` malware
Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe df4287799941b5237770c16ee332ad03f44159df85958583ded5a774496d215f

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::SetFileSecurityA
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteA
SHELL32.dll::SHFileOperationA
SHELL32.dll::SHGetFileInfoA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDiskFreeSpaceA
KERNEL32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileA
KERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::MoveFileExA
KERNEL32.dll::MoveFileA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExA
USER32.dll::OpenClipboard
USER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments