MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 80f0d90ed824fb3229008d61135bbe798b97b93e8b8686173c23db05a4a877a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 16


Intelligence 16 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 80f0d90ed824fb3229008d61135bbe798b97b93e8b8686173c23db05a4a877a1
SHA3-384 hash: c1ed3cc2457b812a31fd2449f3aaabc2da6eab59b7f6f30cdc9e7dacb1ec8094a335102ece4b7908b8f20617bd075a00
SHA1 hash: 4bddc02d76644d4f298771aabd99df9cae83f388
MD5 hash: b385360ae25ad7aa74b77afe49ce2c26
humanhash: montana-florida-april-bulldog
File name:Purchase Order H6002873doc.bat
Download: download sample
Signature GuLoader
Create hunting rule
File size:447'767 bytes
First seen:2026-02-03 21:56:42 UTC
Last seen:2026-02-04 15:03:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (541 x GuLoader, 116 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 6144:fQ606xV8H+lc7SGd7U+lVk8yjijkop/vEJ9xltBVQfjQVBRkzAbTFMIF4tLOIBHL:UecGGRUuk8hjF0xGAKzAbTFMbtiIB
Threatray 2'777 similar samples on MalwareBazaar
TLSH T1DF94F1113282EA87C9ED05B944BF62EE4E759E7B9582CB47F2C0FB2E7C766C57A15000
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter threatcat_ch
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
3
# of downloads :
135
Origin country :
CH CH
Vendor Threat Intelligence
Malware configuration found for:
GuLoader NSIS
Details
GuLoader
an XOR decryption key and an extracted component
GuLoader
a c2 URL, a useragent string, and a string XOR key
NSIS
extracted archive contents
Link:
https://research.acce.ciphertechsolutions.com/results/8ee9b882-5132-43bb-98b8-58ac03a2b3a4/
Malware family:
n/a
ID:
1
File name:
_80f0d90ed824fb3229008d61135bbe798b97b93e8b8686173c23db05a4a877a1.exe
Verdict:
Malicious activity
Analysis date:
2026-02-03 21:57:24 UTC
Tags:
auto-reg phantom stealer crypto-regex evasion
Link:
https://app.any.run/tasks/55773c0f-4279-4c5a-9c34-5df2235020fa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/51584/
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69826f3c6b1af47db72c9327
Tags:
injection obfusc
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Delayed reading of the file
Unauthorized injection to a recently created process
Restart of the analyzed sample
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug blackhole installer installer installer-heuristic masquerade microsoft_visual_cc nsis soft-404
Link:
https://www.filescan.io/uploads/69826f39930564ff3c87f17e/reports/eb88b2bc-c4e5-4962-b203-1e8654f59b7f/overview
Verdict:
Malicious
Labled as:
Trojan.VTYZ
Link:
https://www.hybrid-analysis.com/sample/80f0d90ed824fb3229008d61135bbe798b97b93e8b8686173c23db05a4a877a1
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-02-04T00:26:00Z UTC
Last seen:
2026-02-04T17:18:00Z UTC
Hits:
~1000
Detections:
Trojan.Win32.GuLoader.sb HEUR:Trojan.NSIS.GuLoader.gen Trojan-Downloader.Win32.Minix.sb Trojan.NSIS.Makoob.sbb Trojan.NSIS.Makoob.sba HEUR:Trojan.Win32.Guloader.gen
Link:
https://opentip.kaspersky.com/80f0d90ed824fb3229008d61135bbe798b97b93e8b8686173c23db05a4a877a1/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/1df67bc1-0b70-4660-bf52-64e952bdaf11
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1862861
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Monitors registry run keys for changes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: Suspicious Executable File Creation
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1862861 Sample: Purchase Order H6002873doc.... Startdate: 03/02/2026 Architecture: WINDOWS Score: 100 68 youtube-ui.l.google.com 2->68 70 www.youtube.com 2->70 72 81 other IPs or domains 2->72 86 Multi AV Scanner detection for dropped file 2->86 88 Multi AV Scanner detection for submitted file 2->88 90 Yara detected GuLoader 2->90 92 8 other signatures 2->92 9 Purchase Order H6002873doc.bat.exe 1 29 2->9         started        12 Purchase Order H6002873doc.bat.exe 2->12         started        14 firefox.exe 1 2->14         started        16 3 other processes 2->16 signatures3 process4 file5 64 C:\Users\user\AppData\Local\...\System.dll, PE32 9->64 dropped 18 Purchase Order H6002873doc.bat.exe 26 20 9->18         started        23 Purchase Order H6002873doc.bat.exe 9->23         started        66 C:\Users\user\AppData\Local\...\System.dll, PE32 12->66 dropped 25 Purchase Order H6002873doc.bat.exe 12->25         started        27 Purchase Order H6002873doc.bat.exe 12->27         started        29 firefox.exe 3 436 14->29         started        31 msedge.exe 16->31         started        33 firefox.exe 16->33         started        process6 dnsIp7 74 lodenrandmarines.com 162.251.85.153, 49740, 587 PUBLIC-DOMAIN-REGISTRYUS United States 18->74 76 drive.google.com 142.250.190.238, 443, 49719, 49733 GOOGLEUS United States 18->76 82 2 other IPs or domains 18->82 54 C:\...\Purchase Order H6002873doc.bat.exe, PE32 18->54 dropped 56 Purchase Order H60...exe:Zone.Identifier, ASCII 18->56 dropped 96 Tries to steal Mail credentials (via file / registry access) 18->96 98 Tries to harvest and steal browser information (history, passwords, etc) 18->98 100 Writes to foreign memory regions 18->100 102 3 other signatures 18->102 35 msedge.exe 18->35         started        38 chrome.exe 18->38 injected 40 firefox.exe 1 18->40         started        50 3 other processes 18->50 58 C:\...\Purchase Order H6002873doc.bat.exe.log, ASCII 25->58 dropped 42 Purchase Order H6002873doc.bat.exe 25->42         started        78 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82, 49735, 49743, 49750 GOOGLEUS United States 29->78 80 push.services.mozilla.com 34.107.243.93, 443, 49758, 49760 GOOGLEUS United States 29->80 84 11 other IPs or domains 29->84 60 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 29->60 dropped 62 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 29->62 dropped 44 firefox.exe 29->44         started        46 firefox.exe 29->46         started        48 firefox.exe 29->48         started        file8 signatures9 process10 signatures11 94 Monitors registry run keys for changes 35->94 52 msedge.exe 35->52         started        process12
Score:
54%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/80f0d90ed824fb3229008d61135bbe798b97b93e8b8686173c23db05a4a877a1
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/80f0d90ed824fb3229008d61135bbe798b97b93e8b8686173c23db05a4a877a1/
Verdict:
Malicious
Threat:
Family.PHANTOM
Link:
https://tip.neiki.dev/file/80f0d90ed824fb3229008d61135bbe798b97b93e8b8686173c23db05a4a877a1
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Suspicious
First seen:
2026-02-03 21:57:20 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qdynsdwyet5tekiarvqrgw56pgfzpoj6rodimfz4epnqljfio6qq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
21773cea42a57dff11a05f01ea94f48fc457871b110a410e4ccb416a4e346229
GuLoader
393f30348ea8776aa8d647b548afb06f03a56b5b212c5eaae7f306121cf3b57e
GuLoader
4e11fd9ebcd710646c1c685691837f3e2d4983e9232279ece12a6db9be569ba1
GuLoader
523a09b4d2a3041cf4fa5de52aa73d3caa049147209faf3f3f854819d5ed5ffb
GuLoader
d176fe5a5daf624834ecda3144e11ca2c3395de8cde5eed0263bb3caac597096
GuLoader
e4236b751a47d5b200cf57601fa4be5fde3478ec72bfc429c237b5e5c98fe728
GuLoader
error
GuLoader
+ 2'767 additional samples on MalwareBazaar
Result
Malware family:
phantom_stealer
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:phantom_stealer collection discovery downloader persistence spyware stealer
Link:
https://tria.ge/reports/260203-1t1jpabz8e/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses Microsoft Outlook profiles
Adds Run key to start application
Contacts third-party web service commonly abused for C2
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Detects PhantomStealer payload
Guloader family
Guloader,Cloudeye
PhantomStealer
Phantom_stealer family
Unpacked files
SH256 hash:
80f0d90ed824fb3229008d61135bbe798b97b93e8b8686173c23db05a4a877a1
MD5 hash:
b385360ae25ad7aa74b77afe49ce2c26
SHA1 hash:
4bddc02d76644d4f298771aabd99df9cae83f388
Link:
https://www.unpac.me/results/14069619-6187-456d-8cda-cc90b27b836b/
SH256 hash:
86c8ee210e6611383a634dcb8c60455063ddae3d7adccbeacf3adf7bf2a46676
MD5 hash:
d2e45dd852a659e11897df573832f381
SHA1 hash:
19990ee627c95b6c18d3b5c5f0ec5c24791d0af5
Link:
https://www.unpac.me/results/14069619-6187-456d-8cda-cc90b27b836b/
SH256 hash:
c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
MD5 hash:
9625d5b1754bc4ff29281d415d27a0fd
SHA1 hash:
80e85afc5cccd4c0a3775edbb90595a1a59f5ce0
Link:
https://www.unpac.me/results/14069619-6187-456d-8cda-cc90b27b836b/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/80f0d90ed824/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.99
Link:
https://yomi.yoroi.company/submissions/80f0d90ed824fb3229008d61135bbe798b97b93e8b8686173c23db05a4a877a1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe 80f0d90ed824fb3229008d61135bbe798b97b93e8b8686173c23db05a4a877a1

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/51584/

Comments