MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a11ba9d0fe917eca75c6038281c7bd55dea9ce1e0dc1b478d55e2592e6f846f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 13

Intelligence 13 IOCs YARA 4 File information Comments

SHA256 hash:	3a11ba9d0fe917eca75c6038281c7bd55dea9ce1e0dc1b478d55e2592e6f846f
SHA3-384 hash:	fe5afa6df3167915871cbedf989571c43cffe30533ca77ee6000c4520c728e083bc8c16c7c550d8d9b81beb171f95d6a
SHA1 hash:	f712b5c33d37775f9ec098242cfb5aee8c03ae07
MD5 hash:	474280a75227be516c65a443fef9d8d6
humanhash:	bakerloo-echo-oxygen-sixteen
File name:	scan.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	1'315'560 bytes
First seen:	2025-09-12 07:21:36 UTC
Last seen:	2025-09-12 13:19:42 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	b34f154ec913d2d2c435cbd644e91687 (527 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep	24576:3ltU3jbRxVXQPSsiSH4UdjiJVcmMAyz2wfrdRfU+lv+mY4ZwRF:v8jbVX/siSYUdjv+ya4rd2KvXwRF
Threatray	1'064 similar samples on MalwareBazaar
TLSH	T18A5523D17BD0D936D3AB0A7AE47809F60F66EEA1F5181A0B0440FD65BE3D293BA07171
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	Anonymous
Tags:	exe GuLoader signed

Code Signing Certificate

Organisation:	Pensioneret
Issuer:	Pensioneret
Algorithm:	sha256WithRSAEncryption
Valid from:	2025-08-02T23:09:59Z
Valid to:	2026-08-02T23:09:59Z
Serial number:	2b624eb56361451b860106f6519790e8b7c7528a
Thumbprint Algorithm:	SHA256
Thumbprint:	11d73aada0d309411082309e2dadbc6963fed8f3ce70c4a6262282dfd7455b5f
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

135

Origin country :

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

scan.exe

Verdict:

Malicious activity

Analysis date:

2025-09-12 07:23:58 UTC

Tags:

remcos rat

Link:

https://app.any.run/tasks/29d2f716-9840-4303-ad48-94f3315c31be

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/27063/

Detection(s):

no reply from clamd

Verdict:

Clean

Score:

89.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68c3ca0ab2005259887a027a

Tags:

n/a

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% subdirectories

Сreating synchronization primitives

Searching for the window

Creating a file

Creating a file in the %AppData% subdirectories

Delayed reading of the file

Sending a custom TCP request

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug blackhole installer microsoft_visual_cc nsis overlay packed signed

Link:

https://www.filescan.io/uploads/68c3ca0a47cd2102617f4f9d/reports/347283f2-e198-4372-9008-7831239ac842/overview

Verdict:

Suspicious

Labled as:

Malware_48.9

Link:

https://www.hybrid-analysis.com/sample/3a11ba9d0fe917eca75c6038281c7bd55dea9ce1e0dc1b478d55e2592e6f846f

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-09-12T00:56:00Z UTC

Last seen:

2025-09-12T00:56:00Z UTC

Hits:

~1000

Link:

https://opentip.kaspersky.com/3a11ba9d0fe917eca75c6038281c7bd55dea9ce1e0dc1b478d55e2592e6f846f/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/26a682f0-cc8d-4d3f-8329-7acf5705e1f6

Score:

84%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/3a11ba9d0fe917eca75c6038281c7bd55dea9ce1e0dc1b478d55e2592e6f846f

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3a11ba9d0fe917eca75c6038281c7bd55dea9ce1e0dc1b478d55e2592e6f846f/

Threat name:

Win32.Trojan.GuLoader

Status:

Malicious

First seen:

2025-09-12 04:03:31 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

13 of 38 (34.21%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hii3vhip5el6zj24ma4cqhd32vo6vhhb4dobwr4nkxrfsltpqrxq._file

Verdict:

malicious

Label(s):

cloudeye

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos discovery rat

Link:

https://tria.ge/reports/250912-h62cmszrt6/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Drops file in System32 directory

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Legitimate hosting services abused for malware hosting/C2

Loads dropped DLL

Remcos

Remcos family

Malware Config

C2 Extraction:

196.251.80.39:2404

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/2e817ebd-a0e1-4868-8104-a86df3f051fa

Unpacked files

SH256 hash:

3a11ba9d0fe917eca75c6038281c7bd55dea9ce1e0dc1b478d55e2592e6f846f

MD5 hash:

474280a75227be516c65a443fef9d8d6

SHA1 hash:

f712b5c33d37775f9ec098242cfb5aee8c03ae07

Link:

https://www.unpac.me/results/aeedb7de-0053-418e-99f0-ac193a2a1c64/

SH256 hash:

7cf057cedbdf03c208bafacb3298be19e4be2bfcdbee9a70c3fe5e256ef59dd2

MD5 hash:

a50a6a6bd748210c047c09c4b8c729f8

SHA1 hash:

7f90afa86fd2fda051fc6f3e3cbe5a29e7804ef4

Link:

https://www.unpac.me/results/aeedb7de-0053-418e-99f0-ac193a2a1c64/

SH256 hash:

6af680567b012ab0342f4c19bee7ded71f22e771c1f6ad9a8eaebbe8c1ee4844

MD5 hash:

b0ef0e1726a968ac31204fdb3d0961e8

SHA1 hash:

ca083ca4f76b92713721c62f21e389bd52101296

Link:

https://www.unpac.me/results/aeedb7de-0053-418e-99f0-ac193a2a1c64/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.58

Link:

https://yomi.yoroi.company/submissions/3a11ba9d0fe917eca75c6038281c7bd55dea9ce1e0dc1b478d55e2592e6f846f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	Detect_NSIS_Nullsoft_Installer Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects NSIS installers by .ndata section + NSIS header string

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)