MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16131fdd48c28529684d83a0687e3500e70c6abd8d86fbaefd49cbfdff57f5ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 15

Intelligence 15 IOCs YARA 3 File information Comments

SHA256 hash:	16131fdd48c28529684d83a0687e3500e70c6abd8d86fbaefd49cbfdff57f5ff
SHA3-384 hash:	8848951f155808551fe21de3831cec14529ef3f8ebdf187eccd657cce0a5a4737a3e303f68d394826fed4fe7e2ecd360
SHA1 hash:	8903d9554c088f185ad7d8671d4e429adbb76e7e
MD5 hash:	fe2a6761da82e99dbdf387aba9b8dd89
humanhash:	triple-charlie-illinois-cardinal
File name:	Taoister.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	445'840 bytes
First seen:	2026-03-16 12:46:02 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4ea4df5d94204fc550be1874e1b77ea7 (245 x GuLoader, 31 x RemcosRAT, 26 x VIPKeylogger)
ssdeep	6144:6B+pgU8ZHm5GjJ6PTQvcwCW5YG1Fe2bdSSufD02Un0sllit+ma9/cqGIHwBRvkha:6gwHmebvT9rSkdSFfDZU0AVdkqCRJp
Threatray	4'592 similar samples on MalwareBazaar
TLSH	T1DA94E0154BA7981BD9D6173184A2DB325A74EE402D31D68B13C8FE4B3DF2BC0F946297
TrID	50.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 10.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 10.5% (.EXE) Win64 Executable (generic) (6522/11/2) 8.1% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	James_inthe_box
Tags:	exe GuLoader signed

Code Signing Certificate

Organisation:	Engangsemballagernes
Issuer:	Engangsemballagernes
Algorithm:	sha256WithRSAEncryption
Valid from:	2026-01-18T05:45:05Z
Valid to:	2027-01-18T05:45:05Z
Serial number:	7949004124925fb4e11701314789209f479d24ca
Thumbprint Algorithm:	SHA256
Thumbprint:	fd8109472037f9651a7863c8ea8a1a3b884ee6d55ae68e541b74695e07227c22
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

152

Origin country :

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/4ad8f2b5-cf15-409a-b5e7-586513923944/

Malware family:

n/a

ID:

File name:

Taoister.exe

Verdict:

Malicious activity

Analysis date:

2026-03-16 12:46:27 UTC

Tags:

auto-reg phantom stealer crypto-regex ims-api generic telegram evasion

Link:

https://app.any.run/tasks/94a02bd0-f0e1-4142-a691-d27ec075f27b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/57636/

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69b7fb9a88c80c01586ac284

Tags:

injection obfusc virus

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Searching for the window

Creating a file in the %AppData% subdirectories

DNS request

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

adaptive-context anti-debug installer installer installer-heuristic microsoft_visual_cc nsis signed soft-404

Link:

https://www.filescan.io/uploads/69b7fb99493cb7d62dffee50/reports/b79b299c-31a7-458d-9d77-c739405d365e/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/16131fdd48c28529684d83a0687e3500e70c6abd8d86fbaefd49cbfdff57f5ff

Verdict:

Malicious

File Type:

exe x32

Detections:

Trojan-Downloader.Win32.Minix.sb Trojan.Win32.Guloader.sb Trojan.NSIS.Makoob.sbd Trojan.NSIS.Makoob.sbb HEUR:Trojan-Downloader.Win32.Minix.gen

Link:

https://opentip.kaspersky.com/16131fdd48c28529684d83a0687e3500e70c6abd8d86fbaefd49cbfdff57f5ff/results?tab=lookup

Malware family:

NSIS

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/47a363f6-00bb-4339-81a7-e649c9e4c463

Score:

88%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/16131fdd48c28529684d83a0687e3500e70c6abd8d86fbaefd49cbfdff57f5ff

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/fe2a6761da82e99dbdf387aba9b8dd89

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/16131fdd48c28529684d83a0687e3500e70c6abd8d86fbaefd49cbfdff57f5ff/

Verdict:

Malicious

Threat:

Family.PHANTOM

Link:

https://tip.neiki.dev/file/16131fdd48c28529684d83a0687e3500e70c6abd8d86fbaefd49cbfdff57f5ff

Threat name:

Win32.Trojan.Guloader

Status:

Malicious

First seen:

2026-03-13 12:42:43 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 36 (63.89%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cyjr7xkiykcss2cnqoqgq7rvadtqy2v5rwdpxlx5jhf7372x6x7q._file

Verdict:

malicious

Label(s):

cloudeye

GuLoader

448234787d7924280fedbb49f5702f0483ef8046394f8adc14006f3f8b6793b2

GuLoader

67012c9555804fbfe82f17ee6d7d09196ed356053e2e778f49a998a4b718d6a6

GuLoader

691b3c73fa3301b9c36de80df0e7aa9d551a87ccc77a04b93786d6f1f5a41969

GuLoader

86ec76a64ac162f4699a584a6fbdcf08c6bdfc5e5714e2052b954a7be85e6efc

GuLoader

9707c1faa4b7191af96f2879472c6bb368eef29b80d917dc9dc197f92ae86b8f

GuLoader

ab2036dc90a503a003ed28e17ed2cf24001848be05580b6246656f88abe01c86

GuLoader

ba0f881b0462cfdac753320699ef91fff494497e9fe3ac5c3b9af951f0e14b4f

GuLoader

error

GuLoader

+ 4'582 additional samples on MalwareBazaar

Result

Malware family:

phantom_stealer

Score:

10/10

Tags:

family:phantom_stealer collection discovery persistence spyware stealer

Link:

https://tria.ge/reports/260316-pzq2naaw2q/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

System Location Discovery: System Language Discovery

System Time Discovery

Drops file in Program Files directory

Drops file in Windows directory

Drops file in System32 directory

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Accesses Microsoft Outlook profiles

Adds Run key to start application

Contacts third-party web service commonly abused for C2

Looks up external IP address via web service

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Detects PhantomStealer written in C#

PhantomStealer

Phantom_stealer family

Malware Config

C2 Extraction:

https://api.telegram.org/bot8676391589:AAHTKbZEAvX68o3eEKS473PsZrHlBhXct70/sendMessage?chat_id=8277275661

Unpacked files

SH256 hash:

16131fdd48c28529684d83a0687e3500e70c6abd8d86fbaefd49cbfdff57f5ff

MD5 hash:

fe2a6761da82e99dbdf387aba9b8dd89

SHA1 hash:

8903d9554c088f185ad7d8671d4e429adbb76e7e

Link:

https://www.unpac.me/results/158b930c-9387-42a0-9aae-16413ec7d815/

SH256 hash:

2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

MD5 hash:

a4dd044bcd94e9b3370ccf095b31f896

SHA1 hash:

17c78201323ab2095bc53184aa8267c9187d5173

Link:

https://www.unpac.me/results/158b930c-9387-42a0-9aae-16413ec7d815/

Malware family:

PhantomStealer

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/16131fdd48c2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/16131fdd48c28529684d83a0687e3500e70c6abd8d86fbaefd49cbfdff57f5ff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Detect_NSIS_Nullsoft_Installer Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects NSIS installers by .ndata section + NSIS header string

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/57636/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample