MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0288db1418cf2c5f0be529a5e63c4f8b6c04c6be5a61fbc6dde28973cfb8428c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0288db1418cf2c5f0be529a5e63c4f8b6c04c6be5a61fbc6dde28973cfb8428c
SHA3-384 hash: 8a0e35899e1f21d41372632a833c26c337e62c1f9660fe66148a4803a21aec70277337be7081c7f5cdea5692076e0123
SHA1 hash: 7aba5b564d4da39cc43134889e3661dc9a23bcbd
MD5 hash: a4a84d4ba76194291d540cbadf9a5fd2
humanhash: triple-london-black-london
File name:1109025.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:1'033'328 bytes
First seen:2025-11-10 03:30:42 UTC
Last seen:2025-11-10 08:19:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (548 x GuLoader, 117 x RemcosRAT, 81 x EpsilonStealer)
ssdeep 24576:3tn91wY4jrKRMNOss0i4/Zu9/uDJu1ICkKSmwHh:99khAWoUJu1KrB
TLSH T10B2512117980F5C2E9A089F10711A7799BFA7CE278406907775BF38C3872747A4EEE26
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter threatcat_ch
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:Brashiest
Issuer:Brashiest
Algorithm:sha256WithRSAEncryption
Valid from:2025-11-05T02:36:14Z
Valid to:2026-11-05T02:36:14Z
Serial number: 3d7c51c72a1544ff7d58ef1108d22f6317565502
Thumbprint Algorithm:SHA256
Thumbprint: 16e393f2b78f11964a2405f20ae60c96fec6f1cc4e84648c1691610a520bfc3f
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
152
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
1109025.exe
Verdict:
Malicious activity
Analysis date:
2025-11-10 03:32:08 UTC
Tags:
auto-reg rat remcos remote stealer
Link:
https://app.any.run/tasks/b17227d5-7eab-4ebd-9d8f-246f9b346631

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/36629/
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69115c6aac1ae236e178ec2d
Tags:
injection obfusc blic
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file
Creating a file in the %temp% directory
Sending a custom TCP request
Delayed reading of the file
Unauthorized injection to a recently created process
Restart of the analyzed sample
DNS request
Connection attempt
Sending an HTTP GET request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug blackhole installer installer installer-heuristic microsoft_visual_cc nsis overlay signed
Link:
https://www.filescan.io/uploads/69115c8e413b181bff1decd0/reports/0783d1de-eca9-4cbc-a224-5e71b4060b95/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/0288db1418cf2c5f0be529a5e63c4f8b6c04c6be5a61fbc6dde28973cfb8428c
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-09T22:52:00Z UTC
Last seen:
2025-11-12T01:22:00Z UTC
Hits:
~1000
Detections:
Trojan.NSIS.Makoob.sbb Trojan.NSIS.Makoob.sba Trojan-Downloader.Win32.Minix.sb HEUR:Backdoor.Win32.Remcos.gen
Link:
https://opentip.kaspersky.com/0288db1418cf2c5f0be529a5e63c4f8b6c04c6be5a61fbc6dde28973cfb8428c/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/95f74de4-d513-40b9-a9b7-f812f6cc63cd
Result
Threat name:
GuLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad.phis.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1811085
Signature
AI detected suspicious PE digital signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Detected Remcos RAT
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected GuLoader
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1811085 Sample: 1109025.exe Startdate: 10/11/2025 Architecture: WINDOWS Score: 100 59 drive.usercontent.google.com 2->59 61 drive.google.com 2->61 75 Suricata IDS alerts for network traffic 2->75 77 Found malware configuration 2->77 79 Antivirus detection for dropped file 2->79 81 9 other signatures 2->81 10 1109025.exe 3 90 2->10         started        14 remcos.exe 46 2->14         started        16 remcos.exe 2->16         started        signatures3 process4 file5 49 C:\Users\user\AppData\Local\...\System.dll, PE32 10->49 dropped 95 Tries to detect virtualization through RDTSC time measurements 10->95 97 Switches to a custom stack to bypass stack traces 10->97 18 1109025.exe 2 10 10->18         started        51 C:\Users\user\AppData\Local\...\System.dll, PE32 14->51 dropped 23 remcos.exe 14->23         started        signatures6 process7 dnsIp8 63 drive.google.com 142.250.188.14, 443, 49754, 49756 GOOGLEUS United States 18->63 65 drive.usercontent.google.com 142.250.191.1, 443, 49755, 49757 GOOGLEUS United States 18->65 43 C:\ProgramData\Remcos\remcos.exe, PE32 18->43 dropped 45 C:\ProgramData\...\remcos.exe:Zone.Identifier, ASCII 18->45 dropped 83 Detected Remcos RAT 18->83 85 Creates autostart registry keys with suspicious names 18->85 25 remcos.exe 46 18->25         started        file9 signatures10 process11 file12 47 C:\Users\user\AppData\Local\...\System.dll, PE32 25->47 dropped 87 Multi AV Scanner detection for dropped file 25->87 89 Found hidden mapped module (file has been removed from disk) 25->89 91 Tries to detect virtualization through RDTSC time measurements 25->91 93 Switches to a custom stack to bypass stack traces 25->93 29 remcos.exe 4 10 25->29         started        signatures13 process14 dnsIp15 67 196.251.72.93, 2404, 49758, 49759 Web4AfricaZA Seychelles 29->67 53 C:\Users\user\AppData\Local\Temp\THF8.tmp, MS-DOS 29->53 dropped 55 C:\Users\user\AppData\Local\Temp\THA9.tmp, PE32 29->55 dropped 57 C:\Users\user\AppData\Local\Temp\TH147.tmp, MS-DOS 29->57 dropped 99 Detected Remcos RAT 29->99 101 Writes to foreign memory regions 29->101 103 Maps a DLL or memory area into another process 29->103 34 RmClient.exe 29->34         started        37 RmClient.exe 29->37         started        39 RmClient.exe 29->39         started        41 4 other processes 29->41 file16 signatures17 process18 signatures19 69 Tries to steal Instant Messenger accounts or passwords 34->69 71 Tries to steal Mail credentials (via file / registry access) 34->71 73 Tries to harvest and steal browser information (history, passwords, etc) 37->73
Score:
94%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0288db1418cf2c5f0be529a5e63c4f8b6c04c6be5a61fbc6dde28973cfb8428c
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/a4a84d4ba76194291d540cbadf9a5fd2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0288db1418cf2c5f0be529a5e63c4f8b6c04c6be5a61fbc6dde28973cfb8428c/
Verdict:
Malicious
Threat:
Family.REMCOS
Link:
https://tip.neiki.dev/file/0288db1418cf2c5f0be529a5e63c4f8b6c04c6be5a61fbc6dde28973cfb8428c
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2025-11-10 02:13:59 UTC
File Type:
PE (Exe)
Extracted files:
40
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=akenwfayz4wf6c7ffgs6mpcprnwajrv6ljq7xrw54kexht5yikga._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
error
GuLoader
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost collection discovery persistence rat
Link:
https://tria.ge/reports/251110-d29e8syqbm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Remcos
Remcos family
Malware Config
C2 Extraction:
196.251.72.93:2404
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/59e35833-0d18-4348-889f-01384d361875
Unpacked files
SH256 hash:
0288db1418cf2c5f0be529a5e63c4f8b6c04c6be5a61fbc6dde28973cfb8428c
MD5 hash:
a4a84d4ba76194291d540cbadf9a5fd2
SHA1 hash:
7aba5b564d4da39cc43134889e3661dc9a23bcbd
Link:
https://www.unpac.me/results/9244ce77-513b-4ca0-9fb5-d2728bcafc1d/
SH256 hash:
59cdb2c12d5635fd25af4007b70222507948be41fa9885b7f07967c2510a5311
MD5 hash:
82c3f38cd34739872af07443c65d0bd8
SHA1 hash:
1f4ee2d394404a291eda6419f856adaf4b960237
Link:
https://www.unpac.me/results/9244ce77-513b-4ca0-9fb5-d2728bcafc1d/
SH256 hash:
f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37
MD5 hash:
8b3830b9dbf87f84ddd3b26645fed3a0
SHA1 hash:
223bef1f19e644a610a0877d01eadc9e28299509
Link:
https://www.unpac.me/results/9244ce77-513b-4ca0-9fb5-d2728bcafc1d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.58
Link:
https://yomi.yoroi.company/submissions/0288db1418cf2c5f0be529a5e63c4f8b6c04c6be5a61fbc6dde28973cfb8428c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 0288db1418cf2c5f0be529a5e63c4f8b6c04c6be5a61fbc6dde28973cfb8428c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/36629/

Comments