MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4db60c88de6ae375433dc71b8fde1ff323ff5bc5425903a77324a321ac85029c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4db60c88de6ae375433dc71b8fde1ff323ff5bc5425903a77324a321ac85029c
SHA3-384 hash: 0c08cd9cff8363726df711fa7a062deb5c0f4b2a1b3c7d958b3226446f057cf8539b3fa0f5b4233e84b740e96ab9f675
SHA1 hash: a8db9b76bff170d1af341474ac60778454c706fd
MD5 hash: 1a97f4c3c5e0ed82a7005e98df08aa81
humanhash: high-carbon-yellow-illinois
File name:rORIGINALINVOICECOAU7230734290.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:528'182 bytes
First seen:2026-04-21 22:30:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 573bb7b41bc641bd95c0f5eec13c233b (48 x GuLoader, 31 x RemcosRAT, 18 x AgentTesla)
ssdeep 12288:5TA+Q4/GU1Wx3xgjbruLyYF/UsdSBv+6Vt0SGZNu49ezMgIC:5TAP4/GU1Whxgjbw7FZev+kuu8eAgIC
Threatray 2'665 similar samples on MalwareBazaar
TLSH T1BDB42220A35DE031D89312351E3667EE9EFA7C902562675B03A07F1F3E60B81D69EE12
TrID 50.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
10.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.5% (.EXE) Win64 Executable (generic) (6522/11/2)
8.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 72e0d4dcc061e060 (3 x GuLoader, 2 x RemcosRAT)
Reporter FXOLabs
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
158
Origin country :
BR BR
Vendor Threat Intelligence
Malware configuration found for:
GuLoader NSIS
Details
GuLoader
an XOR decryption key and an extracted component
GuLoader
a c2 URL, a useragent string, and a string XOR key
NSIS
extracted archive contents
Link:
https://research.acce.ciphertechsolutions.com/results/186576a5-f388-472f-ab1b-8610ecba4abb/
Malware family:
remcos
Create hunting rule
ID:
1
File name:
_4db60c88de6ae375433dc71b8fde1ff323ff5bc5425903a77324a321ac85029c.exe
Verdict:
Malicious activity
Analysis date:
2026-04-21 22:32:01 UTC
Tags:
rat remcos auto-reg
Link:
https://app.any.run/tasks/56f412a9-592e-4cd0-83b8-78a3ea0a6c46

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/63024/
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69e7fa8851cce3ff702eead5
Tags:
injection obfusc
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file
Creating a file in the %temp% directory
Delayed reading of the file
DNS request
Restart of the analyzed sample
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug fingerprint installer installer installer-heuristic masquerade microsoft_visual_cc nsis soft-404
Link:
https://www.filescan.io/uploads/69e7fa8881aa9ec3bc1cec8c/reports/d03205ef-7406-4089-b137-b8ec500628d3/overview
Verdict:
Malicious
Labled as:
TR/Malware
Link:
https://www.hybrid-analysis.com/sample/4db60c88de6ae375433dc71b8fde1ff323ff5bc5425903a77324a321ac85029c
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-04-21T18:05:00Z UTC
Last seen:
2026-04-23T12:40:00Z UTC
Hits:
~1000
Detections:
Trojan.NSIS.Makoob.sbb Trojan.NSIS.Makoob.sba Trojan-Downloader.Win32.Minix.sb Trojan.Win32.GuLoader.duu Trojan.Win32.Guloader.sb Trojan.NSIS.Makoob.sbd
Link:
https://opentip.kaspersky.com/4db60c88de6ae375433dc71b8fde1ff323ff5bc5425903a77324a321ac85029c/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/0975bbbc-01d0-4e8c-aa87-e9e8cf27a4e1
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4db60c88de6ae375433dc71b8fde1ff323ff5bc5425903a77324a321ac85029c
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/1a97f4c3c5e0ed82a7005e98df08aa81
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4db60c88de6ae375433dc71b8fde1ff323ff5bc5425903a77324a321ac85029c/
Verdict:
Malicious
Threat:
Family.REMCOS
Link:
https://tip.neiki.dev/file/4db60c88de6ae375433dc71b8fde1ff323ff5bc5425903a77324a321ac85029c
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2026-04-21 22:30:43 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jw3azcg6nlrxkqz5y4ny7xq76mr76w6fijmqhj3tesrsdlefakoa._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
0bce2a6af8683d11c09366b7435286b4a7108bc2ab9e9e79ae01172e0127a786
GuLoader
121c058c756297ff8e8dd3f69587c590ebbfe6858e896a8730f711f9f742d10f
GuLoader
8b12af481c0add9d0d208b62113612e08ed203e02a9d4416e175293c80be7b18
GuLoader
a7bfa5f42bcc9078688625f6517c6eabe4f1f83abc2e28a60bff88a1668aa431
GuLoader
d3e7a3c65f422312b5abba4d182521d886ccf29cfb93ab3b88650206364c685a
GuLoader
error
GuLoader
+ 2'655 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost discovery persistence rat spyware stealer
Link:
https://tria.ge/reports/260421-2e3k6sgv2t/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks installed software on the system
Contacts third-party web service commonly abused for C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Family: Remcos
Malware Config
C2 Extraction:
209.54.101.159:3000
Unpacked files
SH256 hash:
4db60c88de6ae375433dc71b8fde1ff323ff5bc5425903a77324a321ac85029c
MD5 hash:
1a97f4c3c5e0ed82a7005e98df08aa81
SHA1 hash:
a8db9b76bff170d1af341474ac60778454c706fd
Link:
https://www.unpac.me/results/6e519be0-ac05-4967-b628-e1ff76308517/
SH256 hash:
8b4c47c4cf5e76ec57dd5a050d5acd832a0d532ee875d7b44f6cdaf68f90d37c
MD5 hash:
9b38a1b07a0ebc5c7e59e63346ecc2db
SHA1 hash:
97332a2ffcf12a3e3f27e7c05213b5d7faa13735
Link:
https://www.unpac.me/results/6e519be0-ac05-4967-b628-e1ff76308517/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4db60c88de6a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4db60c88de6ae375433dc71b8fde1ff323ff5bc5425903a77324a321ac85029c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 4db60c88de6ae375433dc71b8fde1ff323ff5bc5425903a77324a321ac85029c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/63024/

Comments