MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2716726e0b5ffe70b16aadeb4210480aac6d5297246067737ca6268cc5738cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f2716726e0b5ffe70b16aadeb4210480aac6d5297246067737ca6268cc5738cb
SHA3-384 hash: 7e56a8a4cb40720e3017312aa38c448a613fa863b6e7ad60bb6d5bdf36bd7c817c2273a19204b25e1b12341b8a69517f
SHA1 hash: 957c7e44ab759e57b3ca024cb939a54c304e6d31
MD5 hash: 05c44962b40691d3412a4fcd323a744c
humanhash: mobile-leopard-stream-november
File name:SPM-2412169005.bat.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:404'836 bytes
First seen:2025-09-25 13:09:35 UTC
Last seen:2025-10-09 14:58:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9a16e282eba7cc710070c0586c947693 (26 x GuLoader, 11 x VIPKeylogger, 7 x RemcosRAT)
ssdeep 6144:S7rhzbi6GC4fmPAo3XQY2DOX3dJK0AYKpgK8/HPaqfnq1mN44XQrhx8+vYsTzEm:YzbirC4fehXQVDOJc8PPDXkfN
Threatray 1'473 similar samples on MalwareBazaar
TLSH T12384235276E1D83BC8335BF0097B97FA8CD5CC71F19163432FE6BA191B35253842A686
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter James_inthe_box
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
5
# of downloads :
144
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SPM-2412169005.bat.exe
Verdict:
Suspicious activity
Analysis date:
2025-09-25 13:12:56 UTC
Tags:
anti-evasion
Link:
https://app.any.run/tasks/0236b964-4a05-4126-83f9-deb72173865b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Guloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/29014/
Detection(s):
SecuriteInfo.com.Trojan.NSIS.Guloader.2204.17289.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68d552801e4783989051f484
Tags:
injection virus blic
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Searching for the window
Creating a file
Delayed reading of the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context installer masquerade microsoft_visual_cc obfuscated overlay packed packer_detected
Link:
https://www.filescan.io/uploads/68d53f25674d5fd6aa0c6dff/reports/9c5a9a4c-9fb5-456b-b98c-091f847ae649/overview
Verdict:
Malicious
Labled as:
Malware_56.2
Link:
https://www.hybrid-analysis.com/sample/f2716726e0b5ffe70b16aadeb4210480aac6d5297246067737ca6268cc5738cb
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-25T07:24:00Z UTC
Last seen:
2025-09-25T07:24:00Z UTC
Hits:
~10000
Detections:
Trojan.Win32.GuLoader.sb Trojan.Win32.GuLoader.dcw Trojan.NSIS.Pakes.Krynis.sb Trojan.NSIS.Makoob.sbb Trojan.NSIS.Makoob.sba Packed.NSIS.Krynis.sb VHO:Trojan.Win32.GuLoader.gen
Link:
https://opentip.kaspersky.com/f2716726e0b5ffe70b16aadeb4210480aac6d5297246067737ca6268cc5738cb/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3b34010d-1f95-42f4-b5c4-f6142efea1b8
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f2716726e0b5ffe70b16aadeb4210480aac6d5297246067737ca6268cc5738cb
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/05c44962b40691d3412a4fcd323a744c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f2716726e0b5ffe70b16aadeb4210480aac6d5297246067737ca6268cc5738cb/
Verdict:
Malicious
Threat:
VHO:Trojan.Win32.GuLoader
Link:
https://tip.neiki.dev/file/f2716726e0b5ffe70b16aadeb4210480aac6d5297246067737ca6268cc5738cb
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6jywojxawx76ocywvlpliiieqcvmnvjjojdam5zxzjrgrtcxhdfq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
13199e42b39e183eea312c99eb0bb2cc697f925945b25a6e6dcc1550d4676a9d
GuLoader
2be5b104a63deb6addd9d49ffea10cfbefc8c214c2578f4554b6272ca3856899
GuLoader
55d8dc6d475a919fe7ec17bd2575cf0f0a1eec913dba89f9556b69621eec0eb6
GuLoader
5dfcdc1c491fbf2f7f2fbac6bbf27b84be652583b66b252c46e8ed86577c3c60
GuLoader
67fd31f9b85ca5e31e0851c8a5f8f2f36343d884aa3dd7f26d4aa6c5d02b28fe
GuLoader
d223a2f132ab3c96f3d16cfdb00d11efce9d9068ee2627c089a76d1e15274656
GuLoader
d62df4ba5f0d91a4380436b05302e0b89388f058825a91f5ff756b96a9acdd5f
GuLoader
dd6d8363c2761f77948a54be192dbbe563d2da9dd8f922102547631ccbd05ebb
GuLoader
error
GuLoader
+ 1'463 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery installer
Link:
https://tria.ge/reports/250925-qd6ewsyvcz/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7bde277d-8941-46b0-8b38-46ea3e0d8b3f
Unpacked files
SH256 hash:
f2716726e0b5ffe70b16aadeb4210480aac6d5297246067737ca6268cc5738cb
MD5 hash:
05c44962b40691d3412a4fcd323a744c
SHA1 hash:
957c7e44ab759e57b3ca024cb939a54c304e6d31
Link:
https://www.unpac.me/results/87bbed28-f9ce-42ff-a430-66409298d8fc/
SH256 hash:
68b17d8f988354adecd50d824568029ebd51d88293874ac2178cb49de2d763b7
MD5 hash:
4f2bc691e903d2cb134fb48a622df098
SHA1 hash:
25fb6367f42ece8251da055a9c318677e6786f25
Link:
https://www.unpac.me/results/87bbed28-f9ce-42ff-a430-66409298d8fc/
SH256 hash:
7853be9190489ba84dae8232e9a967cec02d941732cb4137bc9ae6a392e89fb8
MD5 hash:
3fbd78c889fa40a2e5567b980c57b7db
SHA1 hash:
303564bfa6fd5ab7a65d35ae1cd14a05643b6b5d
Link:
https://www.unpac.me/results/87bbed28-f9ce-42ff-a430-66409298d8fc/
SH256 hash:
a44ca08afb3f6bafd76aa35c259f3d599fe34f6f49ea5118626c1c1a540b0f03
MD5 hash:
81e268e27dbbcadbf116b5a9402195ab
SHA1 hash:
bd2b701b2e5e279786e179bceee2dc132a2afc37
Link:
https://www.unpac.me/results/87bbed28-f9ce-42ff-a430-66409298d8fc/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f2716726e0b5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f2716726e0b5ffe70b16aadeb4210480aac6d5297246067737ca6268cc5738cb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/29014/

Comments