MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 777f01bcb30b95100b1a4ea16d0dd4f52f8d8f5fb89141347f3001fac0401f8e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 777f01bcb30b95100b1a4ea16d0dd4f52f8d8f5fb89141347f3001fac0401f8e
SHA3-384 hash: 405a5f3deb9c7b6e87d14572a53082632afc034b451e9a090d09720cb2da502e06c8804d1eb0c576a8968f422922fb92
SHA1 hash: 7877331737d32f6c72d0192f96b3cc628efa435b
MD5 hash: c9e19315ae261953a2c089a593693c9d
humanhash: mexico-salami-cup-orange
File name:92510625.bat
Download: download sample
Signature GuLoader
Create hunting rule
File size:1'279'107 bytes
First seen:2025-10-06 23:54:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 46ce5c12b293febbeb513b196aa7f843 (35 x GuLoader, 21 x RemcosRAT, 5 x VIPKeylogger)
ssdeep 24576:c4nT+i78Dlqq8LmlkokLPcdAHVOb79owt9dv/V/qRS9/0mmzwuki:xaZD86kLPcdaVObxjnV/NZ0Dlki
Threatray 2'203 similar samples on MalwareBazaar
TLSH T12345339173E8D326CD524B31CD3C274E87BBFE0418F99813BB11DC969257C86A9673A2
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 82f2b2baf2b2a4a0 (1 x GuLoader)
Reporter threatcat_ch
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
154
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
92510625.bat
Verdict:
Suspicious activity
Analysis date:
2025-10-06 23:55:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ad57ff75-ed4b-4ad6-b97b-a7ff6c753af2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/30884/
Detection(s):
no reply from clamd
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68e456be7f305fa2545d0e82
Tags:
injection obfusc
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file in the %AppData% subdirectories
Searching for the window
Delayed reading of the file
Creating a file
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context anti-debug blackhole installer masquerade microsoft_visual_cc nsis overlay
Link:
https://www.filescan.io/uploads/68e456c23ec725b8760a2f67/reports/ff7a72ca-a72a-4fce-b45a-2aed6885a9b5/overview
Verdict:
Malicious
Labled as:
Malware_50.2
Link:
https://www.hybrid-analysis.com/sample/777f01bcb30b95100b1a4ea16d0dd4f52f8d8f5fb89141347f3001fac0401f8e
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-06T20:18:00Z UTC
Last seen:
2025-10-08T22:23:00Z UTC
Hits:
~10000
Link:
https://opentip.kaspersky.com/777f01bcb30b95100b1a4ea16d0dd4f52f8d8f5fb89141347f3001fac0401f8e/results?tab=lookup
Malware family:
WinEdt Team
Create hunting rule
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/2cc16ff2-6444-4269-9922-985909df35ea
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1790279
Signature
Multi AV Scanner detection for submitted file
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/777f01bcb30b95100b1a4ea16d0dd4f52f8d8f5fb89141347f3001fac0401f8e
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/c9e19315ae261953a2c089a593693c9d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/777f01bcb30b95100b1a4ea16d0dd4f52f8d8f5fb89141347f3001fac0401f8e/
Verdict:
Malicious
Threat:
Family.REMCOS
Link:
https://tip.neiki.dev/file/777f01bcb30b95100b1a4ea16d0dd4f52f8d8f5fb89141347f3001fac0401f8e
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2025-10-06 23:35:39 UTC
File Type:
PE (Exe)
Extracted files:
23
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o57qdpftbokracy2j2qw2dou6uxy3d27xciucnd7gaa7vqcad6ha._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
0140edbd4ebb2e1d24804f6c9891e2309829ecf28ed86b4a038b63cdcb641d0d
GuLoader
519ffa69c89f1f6ca85fc80f08b9d2cb7b731cdd5ebff1cf3221a4e5d0c46582
GuLoader
545812664008d0b35cf61c15c79526b1d5d05aef886a3f85c9056570fbf13933
GuLoader
677fa0e6764f872b832bd199c317eb3f1c21ba43bedb239d9f5097836b9fb65c
GuLoader
ec40add0f6f93d1ed5cc9a72fde905d55f17f394525fae57eb514a935a202660
GuLoader
error
GuLoader
+ 2'193 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos discovery rat
Link:
https://tria.ge/reports/251006-3x43ds1kz6/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Remcos
Remcos family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/45b95f4a-9626-4585-a452-cedb1f968261
Unpacked files
SH256 hash:
777f01bcb30b95100b1a4ea16d0dd4f52f8d8f5fb89141347f3001fac0401f8e
MD5 hash:
c9e19315ae261953a2c089a593693c9d
SHA1 hash:
7877331737d32f6c72d0192f96b3cc628efa435b
Link:
https://www.unpac.me/results/e0b8f833-96c0-4f1e-b1da-19850189b0df/
SH256 hash:
b1350f487692057c8ffde75dcc55287a52a3272240d4d4912f24464b27551fc0
MD5 hash:
8f0e7415f33843431df308bb8e06af81
SHA1 hash:
1314272e6ad3be1985d4a1607b890a34b0bde8b5
Link:
https://www.unpac.me/results/e0b8f833-96c0-4f1e-b1da-19850189b0df/
SH256 hash:
8b4c47c4cf5e76ec57dd5a050d5acd832a0d532ee875d7b44f6cdaf68f90d37c
MD5 hash:
9b38a1b07a0ebc5c7e59e63346ecc2db
SHA1 hash:
97332a2ffcf12a3e3f27e7c05213b5d7faa13735
Link:
https://www.unpac.me/results/e0b8f833-96c0-4f1e-b1da-19850189b0df/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/777f01bcb30b95100b1a4ea16d0dd4f52f8d8f5fb89141347f3001fac0401f8e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 777f01bcb30b95100b1a4ea16d0dd4f52f8d8f5fb89141347f3001fac0401f8e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/30884/

Comments