MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e715ca77bca80baec611ba2f5982ce26a52211523f2db2115165e593b65ff6ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e715ca77bca80baec611ba2f5982ce26a52211523f2db2115165e593b65ff6ef
SHA3-384 hash: 5a1f1df6bb22a383634d47fdb598ed952d1b9192a0aa3a2f8a07ed34bc86590aaab3ecef519b0d6f09bbea1df87ceb7c
SHA1 hash: 87a1f01f1a44eaa39401f1d4e82b5dc6206d728f
MD5 hash: 3411fb6f74583251ac0f556d10d80fba
humanhash: zebra-kilo-lake-potato
File name:DZ__0002.EXE
Download: download sample
Signature GuLoader
Create hunting rule
File size:895'712 bytes
First seen:2025-09-26 06:31:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3abe302b6d9a1256e6a915429af4ffd2 (271 x GuLoader, 38 x Formbook, 25 x Loki)
ssdeep 24576:4zHGYjwFi+5iRK68N+myIwFWmrEECmcIQVtNT7C:4J8lYRKv+rtWUEEdQTNa
TLSH T1AB1523C96D90C826E46A83B414F06E65FE57ECA220DDF90B23513B5B7F331452A4F89B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter Anonymous
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:Undergruppen
Issuer:Undergruppen
Algorithm:sha256WithRSAEncryption
Valid from:2025-08-19T09:34:07Z
Valid to:2026-08-19T09:34:07Z
Serial number: 01202cc1ba32e20a51cbf4e00f3c73e9691ee12b
Thumbprint Algorithm:SHA256
Thumbprint: 07419077358093022f1cf4ae55fdc090c336758e596f45c33001bcbfcda80c46
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
151
Origin country :
PL PL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
DZ__0002.EXE
Verdict:
Malicious activity
Analysis date:
2025-09-26 06:33:45 UTC
Tags:
stealer exfiltration agenttesla ftp
Link:
https://app.any.run/tasks/c376061f-8bed-4d31-820d-e07b70cb6b04

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/29123/
Detection(s):
SecuriteInfo.com.Troj.Inject-EAO.957.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68d6338acc9425144151f4a1
Tags:
obfuscated obfuscate xtreme nsis
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Launching a process
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context anti-debug blackhole installer microsoft_visual_cc nsis overlay signed
Link:
https://www.filescan.io/uploads/68d6338fc564c8e81d0835e5/reports/51256b08-6ef0-49d6-b754-58073d12764d/overview
Verdict:
Malicious
Labled as:
TrojanRansom.Foreign.oecl
Link:
https://www.hybrid-analysis.com/sample/e715ca77bca80baec611ba2f5982ce26a52211523f2db2115165e593b65ff6ef
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-26T03:05:00Z UTC
Last seen:
2025-09-26T03:05:00Z UTC
Hits:
~100
Detections:
HEUR:Trojan-Dropper.Win32.Agent.gen BSS:Trojan.Win32.Generic Trojan-PSW.Win32.Stealer.sb Trojan-Downloader.Win32.Minix.sb Trojan.Win32.Inject.sb Trojan.Win32.Guloader.sb Trojan.NSIS.Makoob.sba
Link:
https://opentip.kaspersky.com/e715ca77bca80baec611ba2f5982ce26a52211523f2db2115165e593b65ff6ef/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f3be0376-b9c7-4fd9-abda-615b2a0c8ac8
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e715ca77bca80baec611ba2f5982ce26a52211523f2db2115165e593b65ff6ef
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/3411fb6f74583251ac0f556d10d80fba
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e715ca77bca80baec611ba2f5982ce26a52211523f2db2115165e593b65ff6ef/
Verdict:
Malicious
Threat:
Family.AGENTTESLA
Link:
https://tip.neiki.dev/file/e715ca77bca80baec611ba2f5982ce26a52211523f2db2115165e593b65ff6ef
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2025-09-26 05:31:34 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=44k4u554vaf25rqrxixvtawoe2sseeksh4w3eekrmxszhns763xq._file
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:guloader discovery downloader execution installer keylogger spyware stealer trojan
Link:
https://tria.ge/reports/250926-haxpkseq4s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
NSIS installer
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Guloader family
Guloader,Cloudeye
AgentTesla
Agenttesla family
Verdict:
Malicious
Tags:
loader guloader
YARA:
NSIS_GuLoader_July_2024
Link:
https://app.threat.zone/submission/edc60375-14b7-40ab-8710-fb036de876c0
Unpacked files
SH256 hash:
e715ca77bca80baec611ba2f5982ce26a52211523f2db2115165e593b65ff6ef
MD5 hash:
3411fb6f74583251ac0f556d10d80fba
SHA1 hash:
87a1f01f1a44eaa39401f1d4e82b5dc6206d728f
Link:
https://www.unpac.me/results/25b39f92-a0e4-45dd-ba7d-5a1009ed4714/
SH256 hash:
1fbb7533f42c1f67563d6f157f3d564f6618f64daef1e53d7435a936b9da7dba
MD5 hash:
2caf8a7db9cc23084c1c3f719ef4bff1
SHA1 hash:
60476d6f3a09ce41a1d84f1ddbd07f343f13f4d2
Link:
https://www.unpac.me/results/25b39f92-a0e4-45dd-ba7d-5a1009ed4714/
SH256 hash:
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
MD5 hash:
fbe295e5a1acfbd0a6271898f885fe6a
SHA1 hash:
d6d205922e61635472efb13c2bb92c9ac6cb96da
Link:
https://www.unpac.me/results/25b39f92-a0e4-45dd-ba7d-5a1009ed4714/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e715ca77bca8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e715ca77bca80baec611ba2f5982ce26a52211523f2db2115165e593b65ff6ef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/29123/

Comments