MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79f1e92b005e6dfd5e46140a69672b6fd74b6500673bad61fcecbf560d56e09c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 19


Intelligence 19 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 79f1e92b005e6dfd5e46140a69672b6fd74b6500673bad61fcecbf560d56e09c
SHA3-384 hash: 8678bdef7885d555724201a33853272a9a2aa559a8e2bc420fad96ca8386401441eb2f6dfb17840eb0945ae18288623b
SHA1 hash: 1c27f76094541cfb83afb24d99ed83bfd0df05a9
MD5 hash: 4b65f3f010db2f40dd8734a3a808cc25
humanhash: mars-four-jersey-thirteen
File name:Account.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:521'576 bytes
First seen:2026-03-19 06:52:18 UTC
Last seen:2026-03-19 12:14:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 57e98d9a5a72c8d7ad8fb7a6a58b3daf (63 x GuLoader, 20 x AZORult, 12 x RemcosRAT)
ssdeep 6144:LhRMPAEwuZ0NTcIobPv8ZTJ7EIGv/0NYg+R7kfOa3mhwsFAA3rsoH0uymMA5xETY:1AAwYJobv8Zq0hSk2MEDN0upMiEfijx
Threatray 2'442 similar samples on MalwareBazaar
TLSH T172B4F043F2409562C1750331A97B8B7D1337AFA46B71570F239CFE3939BB2A21A4725A
TrID 50.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
10.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.5% (.EXE) Win64 Executable (generic) (6522/11/2)
8.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter threatcat_ch
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:Perplex
Issuer:Perplex
Algorithm:sha256WithRSAEncryption
Valid from:2026-02-28T03:49:25Z
Valid to:2027-02-28T03:49:25Z
Serial number: 4bd51232fe4b0c2dba9208349f5a1be71473c689
Thumbprint Algorithm:SHA256
Thumbprint: 6ea2fb86c572aaf17e1a0b2ff46525037e8c235c3493c677de1e8e47b1c59664
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
160
Origin country :
CH CH
Vendor Threat Intelligence
Malware configuration found for:
NSIS
Details
Link:
https://research.acce.ciphertechsolutions.com/results/cf477433-e5df-4da9-90f0-0a86e01a3327/
Malware family:
remcos
Create hunting rule
ID:
1
File name:
_79f1e92b005e6dfd5e46140a69672b6fd74b6500673bad61fcecbf560d56e09c.exe
Verdict:
Malicious activity
Analysis date:
2026-03-19 06:53:18 UTC
Tags:
rat remcos auto-reg
Link:
https://app.any.run/tasks/79b6e9d9-dc04-464e-813a-0ee17788d532

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/58084/
Detection(s):
SecuriteInfo.com.Gen.Variant.Nemesis.254.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69bb9d5988c80c01586be8c9
Tags:
injection obfusc crypt
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Searching for the window
Creating a file
Delayed reading of the file
Unauthorized injection to a recently created process
Restart of the analyzed sample
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug installer installer installer-heuristic microsoft_visual_cc nsis signed soft-404
Link:
https://www.filescan.io/uploads/69bb9d572000fc76c3ec0a5e/reports/6f3b7b03-f090-4ad6-a67d-3a5b5f58f6aa/overview
Verdict:
Malicious
Labled as:
Trojan_Win32_Wacatac_B_ml
Link:
https://www.hybrid-analysis.com/sample/79f1e92b005e6dfd5e46140a69672b6fd74b6500673bad61fcecbf560d56e09c
Verdict:
Malicious
File Type:
exe x32
Detections:
PDM:Trojan.Win32.Generic HEUR:Trojan-Downloader.Win32.Minix.gen Trojan-Dropper.Win32.Injector.sb Trojan-Downloader.Win32.Minix.sb Trojan.Win32.Guloader.sb Trojan.NSIS.Makoob.sba Backdoor.Win32.Remcos.sb
Link:
https://opentip.kaspersky.com/79f1e92b005e6dfd5e46140a69672b6fd74b6500673bad61fcecbf560d56e09c/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/4560b72b-ad10-4f88-8090-4459373f4e08
Result
Threat name:
GuLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad.phis.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1886141
Signature
AI detected suspicious PE digital signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Detected Remcos RAT
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected GuLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1886141 Sample: Account.exe Startdate: 19/03/2026 Architecture: WINDOWS Score: 100 79 drive.usercontent.google.com 2->79 81 drive.google.com 2->81 89 Suricata IDS alerts for network traffic 2->89 91 Found malware configuration 2->91 93 Antivirus detection for dropped file 2->93 95 9 other signatures 2->95 10 Account.exe 3 48 2->10         started        14 remcos.exe 28 2->14         started        16 remcos.exe 2->16         started        18 rundll32.exe 2->18         started        signatures3 process4 file5 67 C:\Users\user\AppData\Local\...\System.dll, PE32 10->67 dropped 117 Tries to detect virtualization through RDTSC time measurements 10->117 119 Unusual module load detection (module proxying) 10->119 121 Switches to a custom stack to bypass stack traces 10->121 20 Account.exe 2 10 10->20         started        25 Account.exe 10->25         started        69 C:\Users\user\AppData\Local\...\System.dll, PE32 14->69 dropped 27 remcos.exe 6 14->27         started        29 remcos.exe 14->29         started        71 C:\Users\user\AppData\Local\...\System.dll, PE32 16->71 dropped 31 remcos.exe 16->31         started        33 remcos.exe 16->33         started        signatures6 process7 dnsIp8 83 drive.google.com 142.251.41.174, 443, 49755, 49758 GOOGLEUS United States 20->83 85 drive.usercontent.google.com 142.251.45.193, 443, 49756, 49759 GOOGLEUS United States 20->85 63 C:\ProgramData\Remcos\remcos.exe, PE32 20->63 dropped 65 C:\ProgramData\...\remcos.exe:Zone.Identifier, ASCII 20->65 dropped 113 Detected Remcos RAT 20->113 115 Creates autostart registry keys with suspicious names 20->115 35 remcos.exe 28 20->35         started        39 Account.exe 20->39         started        41 remcos.exe 27->41         started        43 remcos.exe 31->43         started        file9 signatures10 process11 file12 61 C:\Users\user\AppData\Local\...\System.dll, PE32 35->61 dropped 97 Antivirus detection for dropped file 35->97 99 Multi AV Scanner detection for dropped file 35->99 101 Found hidden mapped module (file has been removed from disk) 35->101 103 3 other signatures 35->103 45 remcos.exe 4 10 35->45         started        50 remcos.exe 35->50         started        signatures13 process14 dnsIp15 87 130.12.181.39, 2404, 49760, 49761 DATAHOPDatahop-SixDegreesGB Canada 45->87 73 C:\Users\user\AppData\Local\Temp\TH50B3.tmp, MS-DOS 45->73 dropped 75 C:\Users\user\AppData\Local\Temp\TH5064.tmp, MS-DOS 45->75 dropped 77 C:\Users\user\AppData\Local\Temp\TH5024.tmp, MS-DOS 45->77 dropped 123 Detected Remcos RAT 45->123 125 Writes to foreign memory regions 45->125 127 Maps a DLL or memory area into another process 45->127 52 userinit.exe 2 45->52         started        55 userinit.exe 45->55         started        57 userinit.exe 45->57         started        59 3 other processes 45->59 file16 signatures17 process18 signatures19 105 Tries to harvest and steal browser information (history, passwords, etc) 52->105 107 Unusual module load detection (module proxying) 52->107 109 Tries to steal Instant Messenger accounts or passwords 55->109 111 Tries to steal Mail credentials (via file / registry access) 55->111
Score:
84%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/79f1e92b005e6dfd5e46140a69672b6fd74b6500673bad61fcecbf560d56e09c
Gathering data
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/79f1e92b005e6dfd5e46140a69672b6fd74b6500673bad61fcecbf560d56e09c/
Verdict:
Malicious
Threat:
Family.REMCOS
Link:
https://tip.neiki.dev/file/79f1e92b005e6dfd5e46140a69672b6fd74b6500673bad61fcecbf560d56e09c
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Suspicious
First seen:
2026-03-18 22:32:49 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=phy6skyalzw72xsgcqfgszzln7luwziam4522yp45s7vmdkw4coa._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
1378230336dacaae827b7b4cc4f26ca444c78fa088871829f031541a4bf706d7
GuLoader
297b2ae6169c2e735d906a82a7aa803b9ad136592db15c0aec6b6db0451e6d4f
GuLoader
4b12139f0bc6a7ef12a930d35de53113a07a63895519d9836cbe33ff17b70eaf
GuLoader
5c69e42ab544d80e631e61ecaaa43b40c87605a35d0c4c244d74f039422a2ea3
GuLoader
b14ffb777287fa540f571f2acada09336b4f687b01ceb69ef236b9af0b68b6e3
GuLoader
error
GuLoader
f6469663f0a38647f54764309023eefa956a37e381b7b6fabe2882b75464bd8b
GuLoader
fcbdcccd83183504ce0bec648d0ba34dde6f2e5dcc70783f45ac8bde0c9fcc5c
GuLoader
+ 2'432 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost collection discovery installer persistence rat
Link:
https://tria.ge/reports/260319-hnqhesbt9r/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Suspicious use of NtCreateThreadExHideFromDebugger
Accesses Microsoft Outlook accounts
Adds Run key to start application
Checks installed software on the system
Contacts third-party web service commonly abused for C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Detected Nirsoft tools
Remcos
Remcos family
Malware Config
C2 Extraction:
130.12.181.39:2404
Unpacked files
SH256 hash:
79f1e92b005e6dfd5e46140a69672b6fd74b6500673bad61fcecbf560d56e09c
MD5 hash:
4b65f3f010db2f40dd8734a3a808cc25
SHA1 hash:
1c27f76094541cfb83afb24d99ed83bfd0df05a9
Link:
https://www.unpac.me/results/b8f31f9c-2947-4831-b4dc-396a0daa2cf0/
SH256 hash:
904fd5481d72f4e03b01a455f848dedd095d0fb17e33608e0d849f5196fb6ff8
MD5 hash:
55a26d7800446f1373056064c64c3ce8
SHA1 hash:
80256857e9a0a9c8897923b717f3435295a76002
Detections:
win_qtbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/b8f31f9c-2947-4831-b4dc-396a0daa2cf0/
Parent samples :
dda0f5b8759220bdbd8e5dba8bff49868b12e1d5e3bd273b366050dab0c8dd4f
e689963b4319dd5d5249ac1c629af5951f4e90db8040bf7ee33492e54c2c6487
bba7b7e91056db7fb6f628ab6478960b96c1a9d8606d6d5b4d74d5043b2bad79
30c31a99eda4daca4085458968e8d09f450f1ed7170f76b95cf7694acb0c7f02
2952bf5efc5b011349d22cbe6e7a813f0ae014d145f23115184a36a1448262d0
4bc7c76462ca49d995702befda5647f40b729659d1d97129723ab1eb4ed45787
830b4dcec27e5d45a9bb7bc538fc026e4af5c3a18de4a71e80b066afe059ac54
2db92a3fa08dc8e97b4f2651e9ec1d123d2556ce5bc7ec9474672767f6505e26
f2b345fcebcd9ed2e342399cfe9819abee7c3642efb6279ad3b4c940555d4564
101057440710c8766fc47fb315ba9fb471c633079c034d5d213e3011cfe075a9
252c26a5ea749569e41b4ce291ea4ff21d08ca884123c8ff171433a359455033
601bc4c4ff50e846a29e702f894f72b8cea1c7c200b363795ed7905784dde043
337b4c24e057d2585f87ed8ad3711ea4c59a3ae1b0895176d983bbc0c64a1d11
1a5e14258f116f3143a071373ce8e7d89bd644c4b88d6da1133e523721329764
f240a81fec7de0227d57e18da194b50d8cada15613719b3bda6236c401e0e8ea
31eb29c56f113f47c0e4d29f346f685db8a00b9394efa9643caafa254f0618d7
dfae751806a1becfa849574b7b2a243f902550f1f72458bed5bc03779fea2f0b
d8d23e874918f7f77e8ac832e69adef1bda5244e403364a6ad5cb18e8ecbcb5e
406a9e03ab016d68a3aa919ac67397a83081f3ef478baf752d90545ec0fac6dc
e1e722daed3f9e886b15a541de7d67a023f42b2af431a5b6879ad7d32a1c36bf
170825eaa838a2e43fc76d3ad458982182f7b5471554ffd993525fd928b21d3d
1d8f40654fc90da579349546b0c74fc7334ad8a6fcbf21f87815715e644950d1
2a089fc9b24c5253a913526be0ac2ee62b911a96645cb70885d678c91dcb83c9
76f267de8fd5fa4744fb8294ee9a4765afeba03b36244527feca60a32df155af
f338b027a3117b82aafca870aaecb64264f238055afd3d598c90ef102092022a
3a66e54745e3455f2a8ecf35cc2ae7f3e4c7f960b547a65a55ac8ee4209b37e4
a7d2ea641dbc8e50000e6b42c9cca200fa25d5e37ddd1857eb489795ab5564ee
8e90738e8d2c488ac315737c15f39a977d989200cdb20b42a63a1f7bc8438a1e
f214476db64248c82861c7b27fd55186beaf2e292cbe013d47f17305c3b2e95d
8da8762a0f3794de100bd1800856136928880e8a9d0be42eb758809bca1bd0e3
98598c90bd75b930aba968467f4b540a5784aa28612b8010d8a9cf31992843c6
ec06ca55bb1ff5e2c51e7756302a11bfc5341b6baa323788d93d646bd84602da
9a66af305ab345c37b408f496c0ad1251e1346f41586742df225af2c6564d576
9b2665438001f2c82c0737efac921004f3435efb29d1edffede8e45683a164a9
b14ffb777287fa540f571f2acada09336b4f687b01ceb69ef236b9af0b68b6e3
4b12139f0bc6a7ef12a930d35de53113a07a63895519d9836cbe33ff17b70eaf
79f1e92b005e6dfd5e46140a69672b6fd74b6500673bad61fcecbf560d56e09c
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/79f1e92b005e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.52
Link:
https://yomi.yoroi.company/submissions/79f1e92b005e6dfd5e46140a69672b6fd74b6500673bad61fcecbf560d56e09c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 79f1e92b005e6dfd5e46140a69672b6fd74b6500673bad61fcecbf560d56e09c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/58084/

Comments