MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 556c002aee304a4492f240ecb287c19aaf6fb3fc3983b8caf92e1dce9fb3e0b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



GuLoader


Vendor detections: 19


Intelligence 19 IOCs YARA 2 File information Comments

SHA256 hash: 556c002aee304a4492f240ecb287c19aaf6fb3fc3983b8caf92e1dce9fb3e0b2
SHA3-384 hash: 0cc0cb4415c67a601bb31bd0be8962dc3a4d3276a11e6fda4f56659ff3315c852913553db1503aa880bbf826725e3e2a
SHA1 hash: 67e0a978594e959e69cfcd78a2e263b7bec90ae7
MD5 hash: 3bb29fee2c100fa29ab186b3517ab4a1
humanhash: seventeen-ohio-five-lion
File name:TT Copy.exe
Download: download sample
Signature GuLoader
File size:1'609'435 bytes
First seen:2026-03-15 21:53:31 UTC
Last seen:2026-03-15 22:38:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1f23f452093b5c1ff091a2f9fb4fa3e9 (301 x GuLoader, 47 x RemcosRAT, 46 x VIPKeylogger)
ssdeep 24576:+OGnCq27h+IwwI8IjJ06w/NuTtDtUKeJGPE8nRKtljZvX9+qe34y2e3uUX5:5OI+I3autEIKeCzRKtl1uuu5
Threatray 2'600 similar samples on MalwareBazaar
TLSH T1A27522C47AD0894AE0B10E350157EB745B1CBC172D23FA06F2E23F9B746E6D6E978249
TrID 50.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
10.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.5% (.EXE) Win64 Executable (generic) (6522/11/2)
8.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 7cdcce5ed9e1f5dd (3 x GuLoader, 1 x RemcosRAT)
Reporter threatcat_ch
Tags:exe GuLoader

Intelligence


File Origin
# of uploads :
2
# of downloads :
219
Origin country :
CH CH
Vendor Threat Intelligence
Malware configuration found for:
GuLoader NSIS
Details
GuLoader
a c2 URL, a useragent string, and a string XOR key
GuLoader
an XOR decryption key and an extracted component
NSIS
extracted archive contents
Malware family:
ID:
1
File name:
TT Copy.exe
Verdict:
Malicious activity
Analysis date:
2026-03-15 21:56:19 UTC
Tags:
remcos rat auto-reg remote

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
70%
Tags:
injection blic
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Searching for the window
Creating a file in the %AppData% subdirectories
Creating a file in the Program Files subdirectories
Delayed reading of the file
Unauthorized injection to a recently created process
Restart of the analyzed sample
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug fingerprint installer installer installer-heuristic microsoft_visual_cc nsis soft-404
Verdict:
Malicious
File Type:
exe x32
Detections:
Trojan.NSIS.Makoob.sba PDM:Trojan.Win32.Generic HEUR:Trojan.Win32.Guloader.gen Trojan-Downloader.Win32.Minix.sb Trojan.Win32.Guloader.sb Trojan.Win32.Agent.sb Trojan.NSIS.Makoob.sbe
Result
Threat name:
GuLoader, Remcos
Detection:
malicious
Classification:
troj.evad.phis.spyw
Score:
100 / 100
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Detected Remcos RAT
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected GuLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1884021 Sample: TT Copy.exe Startdate: 15/03/2026 Architecture: WINDOWS Score: 100 72 drive.usercontent.google.com 2->72 74 drive.google.com 2->74 78 Suricata IDS alerts for network traffic 2->78 80 Found malware configuration 2->80 82 Antivirus detection for dropped file 2->82 84 9 other signatures 2->84 10 TT Copy.exe 6 113 2->10         started        13 remcos.exe 48 2->13         started        15 remcos.exe 2->15         started        signatures3 process4 file5 62 C:\Users\user\AppData\Local\...\System.dll, PE32 10->62 dropped 17 TT Copy.exe 2 10 10->17         started        22 TT Copy.exe 10->22         started        64 C:\Users\user\AppData\Local\...\System.dll, PE32 13->64 dropped 24 remcos.exe 13->24         started        26 remcos.exe 13->26         started        process6 dnsIp7 68 drive.google.com 142.250.217.238, 443, 49743, 49746 GOOGLEUS United States 17->68 70 drive.usercontent.google.com 142.251.211.193, 443, 49744, 49747 GOOGLEUS United States 17->70 52 C:\ProgramData\Remcos\remcos.exe, PE32 17->52 dropped 54 C:\ProgramData\...\remcos.exe:Zone.Identifier, ASCII 17->54 dropped 86 Detected Remcos RAT 17->86 88 Creates autostart registry keys with suspicious names 17->88 28 remcos.exe 48 17->28         started        32 TT Copy.exe 17->32         started        34 remcos.exe 24->34         started        file8 signatures9 process10 file11 66 C:\Users\user\AppData\Local\...\System.dll, PE32 28->66 dropped 106 Multi AV Scanner detection for dropped file 28->106 108 Found hidden mapped module (file has been removed from disk) 28->108 110 Tries to detect virtualization through RDTSC time measurements 28->110 112 2 other signatures 28->112 36 remcos.exe 4 10 28->36         started        41 remcos.exe 28->41         started        signatures12 process13 dnsIp14 76 31.57.216.128, 2404, 49748, 49749 RASANAIR Iran (ISLAMIC Republic Of) 36->76 56 C:\Users\user\AppData\Local\Temp\THE77B.tmp, MS-DOS 36->56 dropped 58 C:\Users\user\AppData\Local\Temp\THE75B.tmp, MS-DOS 36->58 dropped 60 C:\Users\user\AppData\Local\Temp\THE73B.tmp, MS-DOS 36->60 dropped 90 Detected Remcos RAT 36->90 92 Writes to foreign memory regions 36->92 94 Maps a DLL or memory area into another process 36->94 43 userinit.exe 36->43         started        46 userinit.exe 36->46         started        48 userinit.exe 36->48         started        50 remcos.exe 36->50         started        file15 signatures16 process17 signatures18 96 Tries to steal Mail credentials (via file registry) 43->96 98 Tries to harvest and steal browser information (history, passwords, etc) 43->98 100 Unusual module load detection (module proxying) 43->100 102 Tries to steal Instant Messenger accounts or passwords 46->102 104 Tries to steal Mail credentials (via file / registry access) 46->104
Gathering data
Threat name:
Win32.Trojan.Guloader
Status:
Malicious
First seen:
2026-03-15 21:54:37 UTC
File Type:
PE (Exe)
Extracted files:
55
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Result
Malware family:
Score:
  10/10
Tags:
family:remcos botnet:remotehost collection discovery persistence rat
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Contacts third-party web service commonly abused for C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Detected Nirsoft tools
Remcos
Remcos family
Malware Config
C2 Extraction:
31.57.216.128:2404
Unpacked files
SH256 hash:
556c002aee304a4492f240ecb287c19aaf6fb3fc3983b8caf92e1dce9fb3e0b2
MD5 hash:
3bb29fee2c100fa29ab186b3517ab4a1
SHA1 hash:
67e0a978594e959e69cfcd78a2e263b7bec90ae7
SH256 hash:
86c8ee210e6611383a634dcb8c60455063ddae3d7adccbeacf3adf7bf2a46676
MD5 hash:
d2e45dd852a659e11897df573832f381
SHA1 hash:
19990ee627c95b6c18d3b5c5f0ec5c24791d0af5
SH256 hash:
c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
MD5 hash:
9625d5b1754bc4ff29281d415d27a0fd
SHA1 hash:
80e85afc5cccd4c0a3775edbb90595a1a59f5ce0
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_NSIS_Nullsoft_Installer
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:VECT_Ransomware
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 556c002aee304a4492f240ecb287c19aaf6fb3fc3983b8caf92e1dce9fb3e0b2

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments