MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 725be2e8191a5d977de55397cd4d7d000b9673ea2f0c6c824e066e772f40d479. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 15

Intelligence 15 IOCs YARA 11 File information Comments

SHA256 hash:	725be2e8191a5d977de55397cd4d7d000b9673ea2f0c6c824e066e772f40d479
SHA3-384 hash:	828c70b9a9c2083f5f16416b50457df28caf132d84289bfbc5aec5e9b88e0e36a1dda23cce98d53692926b1dfb3d259f
SHA1 hash:	63a4e1935c3978ef39b10ddbb8d267397503ead9
MD5 hash:	0811fdc7cebc842a0a79f71d82cacddb
humanhash:	vegan-october-sixteen-moon
File name:	11230009785545.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	241'728 bytes
First seen:	2026-05-15 08:52:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c05041e01f84e1ccca9c4451f3b6a383 (142 x RedLineStealer, 107 x GuLoader, 64 x DiamondFox)
ssdeep	3072:puxVUg3yGDRb8lc7uC45AY4EDSZikv8zhmNiFxBBZZjiq8S/HGRjI04i/d3wyIfd:4gORay9YaZUINqBBZ1J+jIMB+HJi0pZn
TLSH	T15934122933E5C863EBB14E301E3A0BB52D7AF957105C934317946B0EBD77181AE1FA26
TrID	50.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 10.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 10.5% (.EXE) Win64 Executable (generic) (6522/11/2) 8.1% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
dhash icon	c4dadadad2f492c2 (138 x GuLoader, 49 x RemcosRAT, 23 x VIPKeylogger)
Reporter	lowmal3
Tags:	exe GuLoader signed

Code Signing Certificate

Organisation:	Forhoret
Issuer:	Forhoret
Algorithm:	sha256WithRSAEncryption
Valid from:	2026-04-08T01:53:04Z
Valid to:	2027-04-08T01:53:04Z
Serial number:	13bbf640baebdd32e89bfe44d87c17870ae84cf4
Thumbprint Algorithm:	SHA256
Thumbprint:	e07aed530b450a9618ffcb43728f2edd4565ecf1f2208cab1fc8f3c20081e8e6
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

125

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

GuLoader NSIS

Details

GuLoader

an XOR decryption key and an extracted component

GuLoader

a c2 URL, a useragent string, and a string XOR key

NSIS

extracted archive contents

Link:

https://research.acce.ciphertechsolutions.com/results/26e1fb1e-616a-4a9f-a082-3e5c4367a1bb/

Malware family:

n/a

ID:

File name:

_725be2e8191a5d977de55397cd4d7d000b9673ea2f0c6c824e066e772f40d479.exe

Verdict:

Malicious activity

Analysis date:

2026-05-15 08:53:06 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/4542b709-b064-4f10-b3d5-30eb83da8cb1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/66010/

Detection(s):

SecuriteInfo.com.Trojan.Loader.1575.UNOFFICIAL

Verdict:

Malicious

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a06dec746d6967b3d9074d2

Tags:

injection obfusc crypt

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Searching for the window

Creating a file

Delayed reading of the file

Sending a custom TCP request

Unauthorized injection to a recently created process

Restart of the analyzed sample

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

adaptive-context anti-debug evasive installer installer installer-heuristic microsoft_visual_cc nsis reconnaissance signed

Link:

https://www.filescan.io/uploads/6a06dec6df14f1cb2ad70c26/reports/cc412c92-66a1-48a4-9c22-66fcdacc12ad/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/725be2e8191a5d977de55397cd4d7d000b9673ea2f0c6c824e066e772f40d479

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-05-12T21:09:00Z UTC

Last seen:

2026-05-16T09:34:00Z UTC

Hits:

~1000

Detections:

Trojan-Downloader.Win32.Minix.sb Packed.NSIS.Krynis.sb HEUR:Trojan-Downloader.Win32.Minix.gen HEUR:Backdoor.Win32.Androm.gen Trojan.Win32.Guloader.sb Trojan.NSIS.Makoob.sbb Trojan.NSIS.Makoob.sba

Link:

https://opentip.kaspersky.com/725be2e8191a5d977de55397cd4d7d000b9673ea2f0c6c824e066e772f40d479/results?tab=lookup

Malware family:

Unlabeled

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/d9cafc64-88ad-4214-a516-2e56b9f80b3f

Result

Threat name:

GuLoader

Detection:

malicious

Classification:

troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1913907

Signature

AI detected suspicious PE digital signature

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Yara detected GuLoader

Behaviour

Behavior Graph:

Download SVG

Score:

96%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/725be2e8191a5d977de55397cd4d7d000b9673ea2f0c6c824e066e772f40d479

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/0811fdc7cebc842a0a79f71d82cacddb

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/725be2e8191a5d977de55397cd4d7d000b9673ea2f0c6c824e066e772f40d479/

Verdict:

Malicious

Threat:

Trojan.NSIS.Makoob

Link:

https://tip.neiki.dev/file/725be2e8191a5d977de55397cd4d7d000b9673ea2f0c6c824e066e772f40d479

Threat name:

Win32.Malware.Heuristic

Status:

Malicious

First seen:

2026-05-13 00:05:26 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 36 (50.00%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ojn6f2azdjozo7pfkol42tl5aafzm47kf4ggzasoazxhol2a2r4q._file

Gathering data

Unpacked files

SH256 hash:

725be2e8191a5d977de55397cd4d7d000b9673ea2f0c6c824e066e772f40d479

MD5 hash:

0811fdc7cebc842a0a79f71d82cacddb

SHA1 hash:

63a4e1935c3978ef39b10ddbb8d267397503ead9

Link:

https://www.unpac.me/results/f5421234-15dc-48f2-bd57-58480e24d999/

SH256 hash:

b7823a15e7b1866ba3d77248f750b66505859d264cfc39d8c8c5e812f8ae4a81

MD5 hash:

a1da6788aeaf78ca4ae1dece8019e49d

SHA1 hash:

d770155e6e9aa69223be198c44a8da26a1756d89

Link:

https://www.unpac.me/results/f5421234-15dc-48f2-bd57-58480e24d999/

Malware family:

GuLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/725be2e8191a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/725be2e8191a5d977de55397cd4d7d000b9673ea2f0c6c824e066e772f40d479

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	Detect_NSIS_Nullsoft_Installer Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects NSIS installers by .ndata section + NSIS header string

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	telebot_framework Create hunting rule
Author:	vietdx.mb

Rule name:	TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE Create hunting rule
Author:	CYFARE
Description:	Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:	https://cyfare.net/

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

Rule name:	Win_FakeInstaller_PythonShellcodeLoader_Crepectl_2026 Create hunting rule
Author:	SixHands
Description:	Detects the analyzed fake installer sample using .key config, XOR key, and Python/fiber shellcode loader traits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

exe 725be2e8191a5d977de55397cd4d7d000b9673ea2f0c6c824e066e772f40d479

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/66010/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample