MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aca023c46e88d842d9cf0702ff8c4a09854ef67c41dec500e7d5dbf1c6be0d70. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aca023c46e88d842d9cf0702ff8c4a09854ef67c41dec500e7d5dbf1c6be0d70
SHA3-384 hash: 0abc1dfb4a3b290ac1eb333d11393bfd87c116a7f7aa035823fc60a3744b39800c90ec4bda05dc38ee4338101e15a931
SHA1 hash: 7adf122f27962c32c658627a4c26b7ea767d29c9
MD5 hash: 816ac88f7116bef15c30a683d4675029
humanhash: nebraska-cat-bulldog-butter
File name:aca023c46e88d842d9cf0702ff8c4a09854ef67c41dec500e7d5dbf1c6be0d70
Download: download sample
Signature GuLoader
Create hunting rule
File size:445'494 bytes
First seen:2025-08-12 14:00:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7ed0d71376e55d58ab36dc7d3ffda898 (133 x GuLoader, 28 x RemcosRAT, 23 x AgentTesla)
ssdeep 12288:i6q99lk6/R9n51Cdf86dcdfHTR67s5DZOVzc/:w99zif4fHTzYVw/
Threatray 195 similar samples on MalwareBazaar
TLSH T1AC94120077C4CCBAF1A21A32DA70CBF9D565EE4610E482575B6D3FA77C306408AFA6D6
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 34fcf0d4dcf0d2cc (5 x GuLoader, 4 x MassLogger, 4 x VIPKeylogger)
Reporter adrian__luca
Tags:exe GuLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
33
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
aca023c46e88d842d9cf0702ff8c4a09854ef67c41dec500e7d5dbf1c6be0d70
Verdict:
Malicious activity
Analysis date:
2025-08-12 15:38:39 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/4ce566f5-6baa-48c9-8894-09f7e70430a4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/20456/
Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689b49a9c633abe3908e4ae5
Tags:
agentb nsis
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug blackhole installer microsoft_visual_cc overlay overlay
Link:
https://www.filescan.io/uploads/689b4ed2397fd3ce6fa63360/reports/d322b8b3-9b94-49e6-9ba7-5ad47732b0a9/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/aca023c46e88d842d9cf0702ff8c4a09854ef67c41dec500e7d5dbf1c6be0d70
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/3b4d09dd-ed83-4ca6-84a7-14284c98b189
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/aca023c46e88d842d9cf0702ff8c4a09854ef67c41dec500e7d5dbf1c6be0d70
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aca023c46e88d842d9cf0702ff8c4a09854ef67c41dec500e7d5dbf1c6be0d70/
Verdict:
Malicious
Threat:
Family.REMCOS
Link:
https://tip.neiki.dev/file/aca023c46e88d842d9cf0702ff8c4a09854ef67c41dec500e7d5dbf1c6be0d70
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2025-07-22 04:37:25 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vsqchrdordmefwopa4bp7dckbgcu55t4ihpmkahh2xn7drv6bvya._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
1a17a42de16364bb496f161ef0c841526a31e4e2003b73a6bbaa54dc695ba9ea
GuLoader
292ef9c837eb247376d40aec091bac4b2ca4195d15614895cc4629d4b62d4604
GuLoader
75ef5c2c26d3ccc5719073b3a6f2e1a3124843ef91bf5b65f7afdab4a90f9d8d
GuLoader
a1fd547ad0224d0be610644c1e65feca18df843f079d9839537dc9f6b3e2a87e
GuLoader
e70b57c6683b6d7b45e0a41938cdac0b81274ccda5fb715794d67cf3310ff01c
GuLoader
e77bd8a212df784a401a246f58119b58c428963b30b98e08992c715f16e5caeb
GuLoader
error
GuLoader
+ 185 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos discovery rat
Link:
https://tria.ge/reports/250812-rqhd9s1mt2/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Loads dropped DLL
Remcos
Remcos family
Malware Config
C2 Extraction:
inverterpos.duckdns.org:1987
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4a972993-ddd4-457f-86d5-d036eb96efbe
Unpacked files
SH256 hash:
aca023c46e88d842d9cf0702ff8c4a09854ef67c41dec500e7d5dbf1c6be0d70
MD5 hash:
816ac88f7116bef15c30a683d4675029
SHA1 hash:
7adf122f27962c32c658627a4c26b7ea767d29c9
Link:
https://www.unpac.me/results/655c6faa-9c94-4484-86b6-607e163e1f00/
SH256 hash:
df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d
MD5 hash:
ca332bb753b0775d5e806e236ddcec55
SHA1 hash:
f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f
Link:
https://www.unpac.me/results/655c6faa-9c94-4484-86b6-607e163e1f00/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aca023c46e88d842d9cf0702ff8c4a09854ef67c41dec500e7d5dbf1c6be0d70

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/20456/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::GetWindowsDirectoryW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments