MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 54d1b412c756fa7c8ea26801ec08823a94603078a46b701b7ef5e4484d472fe0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 54d1b412c756fa7c8ea26801ec08823a94603078a46b701b7ef5e4484d472fe0
SHA3-384 hash: 938388192cb6d390cab5b4c2b534b90fba7ff72d6faf26936aba921115f7fbfc77bc24d0840f54207723d9032803feb7
SHA1 hash: 82d197dcf365647a8b67f6bfb7aa0f298960e1ad
MD5 hash: a90838a59c74be0f3f13fc4d1578b01d
humanhash: don-bluebird-blue-twelve
File name:scan_0827.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:513'240 bytes
First seen:2025-08-27 06:09:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9a16e282eba7cc710070c0586c947693 (26 x GuLoader, 11 x VIPKeylogger, 7 x RemcosRAT)
ssdeep 12288:Pq7rPyoZdm85CBwWvyR5l2z1eVKGaFsPRYW19:Pq7rPyWVKyQpe8H0x
Threatray 42 similar samples on MalwareBazaar
TLSH T124B4233233F9D453EAE00570093F01A7A7A3DE9358A46B5B678DBC2E7C223959B1E50D
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter threatcat_ch
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
109
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SMTP[1].eml.tgz
Verdict:
Malicious activity
Analysis date:
2025-08-27 02:32:08 UTC
Tags:
arch-doc arch-email attachments attc-unc arch-exec
Link:
https://app.any.run/tasks/e6a68594-a3c2-4be8-aac1-4c58dd146228

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/23765/
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68aea12feb163e0ec182d1eb
Tags:
uloader virus blic
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %AppData% subdirectories
Creating a file
Creating a file in the %temp% directory
Delayed reading of the file
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
adaptive-context installer microsoft_visual_cc obfuscated overlay signed
Link:
https://www.filescan.io/uploads/68aea12a28a89d9dd4f52df0/reports/5d32b95a-9604-48e1-afc4-ae49120f3c9c/overview
Verdict:
Malicious
Labled as:
Malware_44.5
Link:
https://www.hybrid-analysis.com/sample/54d1b412c756fa7c8ea26801ec08823a94603078a46b701b7ef5e4484d472fe0
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-08-26T23:08:00Z UTC
Last seen:
2025-08-26T23:08:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/54d1b412c756fa7c8ea26801ec08823a94603078a46b701b7ef5e4484d472fe0/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/86cf2487-78c5-4268-bdfb-c0e4500e34af
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1765937
Signature
AI detected suspicious PE digital signature
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/54d1b412c756fa7c8ea26801ec08823a94603078a46b701b7ef5e4484d472fe0
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/54d1b412c756fa7c8ea26801ec08823a94603078a46b701b7ef5e4484d472fe0/
Verdict:
Malicious
Threat:
Family.REMCOS
Link:
https://tip.neiki.dev/file/54d1b412c756fa7c8ea26801ec08823a94603078a46b701b7ef5e4484d472fe0
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kti3iewhk35hzdvcnaa6ycechkkgamdyurvxag366xseqtkhf7qa._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
426072e0492151d229d31dfef04a0b3b13fbbf91a0950fa2e83a4996f2635edf
GuLoader
54d1b412c756fa7c8ea26801ec08823a94603078a46b701b7ef5e4484d472fe0
GuLoader
59258d6f37a00b896648a31ae71f01da6373e0efbdf5b3f3d637e6257dfe767f
GuLoader
6801825ba4656a078f7e05b9f226642128fa131fa29f94ff11ecec2fdefa467d
GuLoader
93ef4244ed371d4be51955474c1713769f7973200030d8d7a5c61877236bcb3c
GuLoader
c45e0bc5947ac8141dce8305bf30acec32d2cee46afc64ec8a68cc6488e286fd
GuLoader
error
GuLoader
+ 32 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos discovery installer rat
Link:
https://tria.ge/reports/250827-gwwhzaxkt3/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Remcos
Remcos family
Verdict:
Suspicious
Tags:
loader guloader
YARA:
NSIS_GuLoader_July_2024
Link:
https://app.threat.zone/submission/a84b55f2-e657-4006-a221-5687d5429073
Unpacked files
SH256 hash:
54d1b412c756fa7c8ea26801ec08823a94603078a46b701b7ef5e4484d472fe0
MD5 hash:
a90838a59c74be0f3f13fc4d1578b01d
SHA1 hash:
82d197dcf365647a8b67f6bfb7aa0f298960e1ad
Link:
https://www.unpac.me/results/519f5817-b726-42dd-8584-27f073880747/
SH256 hash:
a44ca08afb3f6bafd76aa35c259f3d599fe34f6f49ea5118626c1c1a540b0f03
MD5 hash:
81e268e27dbbcadbf116b5a9402195ab
SHA1 hash:
bd2b701b2e5e279786e179bceee2dc132a2afc37
Link:
https://www.unpac.me/results/519f5817-b726-42dd-8584-27f073880747/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/54d1b412c756/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.52
Link:
https://yomi.yoroi.company/submissions/54d1b412c756fa7c8ea26801ec08823a94603078a46b701b7ef5e4484d472fe0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 54d1b412c756fa7c8ea26801ec08823a94603078a46b701b7ef5e4484d472fe0

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/23765/

Comments