MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8f225189e10b6eba893191bda9b633b5ae42302aa74323c51373c8069c381fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b8f225189e10b6eba893191bda9b633b5ae42302aa74323c51373c8069c381fa
SHA3-384 hash: e2ed3d664bdd044c6892c2d82c18d0030da0d8c0256821c2030312e678dc8a7fd456f0fd0337cb89ffcc82df5be9b020
SHA1 hash: ce6158b63a0e6ed9e5db7b572e9c6d07235b80c9
MD5 hash: 16d5a40ce5517e26a63d387bc1b0371b
humanhash: one-cardinal-freddie-asparagus
File name:scan10022025.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:868'584 bytes
First seen:2025-10-21 01:12:36 UTC
Last seen:2025-10-21 10:33:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (548 x GuLoader, 117 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 24576:+3vs71o2D/xY3qUDFRFuN5hUI5iD1AG5nME5qv:+3QjGqUDFRFuN071r5MEYv
Threatray 2'338 similar samples on MalwareBazaar
TLSH T170052250FB42C8A7DC7253700A7F6B7529E3ED6E6E70030E530D76A6B772AC42419A93
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter threatcat_ch
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:Praktikablestes
Issuer:Praktikablestes
Algorithm:sha256WithRSAEncryption
Valid from:2025-09-26T02:14:01Z
Valid to:2026-09-26T02:14:01Z
Serial number: 71a26c9ad92dfcc9e96156ed8813aa2c6dd76d98
Thumbprint Algorithm:SHA256
Thumbprint: dd08b981c8c9f63cebc177d334bab80783d3fcd6449f8ce933c333d9ca5118e7
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
228
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
scan10022025.exe
Verdict:
Malicious activity
Analysis date:
2025-10-21 01:14:41 UTC
Tags:
remcos rat
Link:
https://app.any.run/tasks/9a5828c4-7099-4ec1-99dd-1e468d01321f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/33543/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68f6de4aad6ce0f5ad4028a9
Tags:
injection virus blic
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %AppData% subdirectories
Creating a file
Creating a file in the %temp% directory
Delayed reading of the file
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug blackhole installer microsoft_visual_cc nsis overlay signed
Link:
https://www.filescan.io/uploads/68f6de4ac85c5c56972fb8be/reports/009dd35f-757c-44fd-8253-9cb94510c3fd/overview
Verdict:
Malicious
Labled as:
Malware_53.1
Link:
https://www.hybrid-analysis.com/sample/b8f225189e10b6eba893191bda9b633b5ae42302aa74323c51373c8069c381fa
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-20T21:32:00Z UTC
Last seen:
2025-10-22T23:27:00Z UTC
Hits:
~10000
Detections:
VHO:Trojan.NSIS.Makoob.gen Trojan.Win32.GuLoader.sb HEUR:Trojan.Win32.Makoob.gen Trojan-Downloader.Win32.Minix.sb Trojan.NSIS.Makoob.sbe Trojan.NSIS.Makoob.sbb Trojan.NSIS.Makoob.sba
Link:
https://opentip.kaspersky.com/b8f225189e10b6eba893191bda9b633b5ae42302aa74323c51373c8069c381fa/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/ac0b5f01-5288-4a5c-ac28-37b732c1b55a
Result
Threat name:
GuLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1798773
Signature
AI detected suspicious PE digital signature
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Detected Remcos RAT
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1798773 Sample: scan10022025.exe Startdate: 21/10/2025 Architecture: WINDOWS Score: 100 48 drive.usercontent.google.com 2->48 50 drive.google.com 2->50 54 Found malware configuration 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 Yara detected GuLoader 2->58 60 4 other signatures 2->60 9 scan10022025.exe 4 92 2->9         started        13 remcos.exe 2->13         started        15 remcos.exe 10 2->15         started        signatures3 process4 file5 38 C:\Users\user\AppData\...\unconcatenating.gru, DOS 9->38 dropped 40 C:\Users\user\AppData\Local\...\System.dll, PE32 9->40 dropped 74 Tries to detect virtualization through RDTSC time measurements 9->74 76 Switches to a custom stack to bypass stack traces 9->76 78 Found direct / indirect Syscall (likely to bypass EDR) 9->78 17 scan10022025.exe 2 10 9->17         started        42 C:\Users\user\AppData\Local\...\System.dll, PE32 13->42 dropped 22 remcos.exe 13->22         started        signatures6 process7 dnsIp8 44 drive.usercontent.google.com 142.250.81.225, 443, 49769, 49771 GOOGLEUS United States 17->44 46 drive.google.com 172.217.165.142, 443, 49768, 49770 GOOGLEUS United States 17->46 32 C:\ProgramData\Remcos\remcos.exe, PE32 17->32 dropped 34 C:\ProgramData\...\remcos.exe:Zone.Identifier, ASCII 17->34 dropped 62 Detected Remcos RAT 17->62 64 Creates autostart registry keys with suspicious names 17->64 24 remcos.exe 38 17->24         started        66 Found direct / indirect Syscall (likely to bypass EDR) 22->66 file9 signatures10 process11 file12 36 C:\Users\user\AppData\Local\...\System.dll, PE32 24->36 dropped 68 Multi AV Scanner detection for dropped file 24->68 70 Tries to detect virtualization through RDTSC time measurements 24->70 72 Switches to a custom stack to bypass stack traces 24->72 28 remcos.exe 4 7 24->28         started        signatures13 process14 dnsIp15 52 52.15.108.179, 2404 AMAZON-02US United States 28->52 80 Detected Remcos RAT 28->80 signatures16
Score:
83%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b8f225189e10b6eba893191bda9b633b5ae42302aa74323c51373c8069c381fa
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/16d5a40ce5517e26a63d387bc1b0371b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b8f225189e10b6eba893191bda9b633b5ae42302aa74323c51373c8069c381fa/
Verdict:
Malicious
Threat:
Family.REMCOS
Link:
https://tip.neiki.dev/file/b8f225189e10b6eba893191bda9b633b5ae42302aa74323c51373c8069c381fa
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Suspicious
First seen:
2025-10-21 00:47:16 UTC
File Type:
PE (Exe)
Extracted files:
43
AV detection:
14 of 38 (36.84%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xdzckge6cc3oxketden5vg3dhnnoiiycvj2depcrg46ia2odqh5a._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
0b145928bcccd1f9510ef2744ef2487a38cdcdcc6b8595995c491c29f97f55e9
GuLoader
21773cea42a57dff11a05f01ea94f48fc457871b110a410e4ccb416a4e346229
GuLoader
85407e0947fde678d6abc0d8ebf96c35240a7467b6cf1347ec798072d4f393e2
GuLoader
ca8baf05a8f6f9dd4a486ec38da9bf9b338699464a7d3c05e8b6da8e0059247a
GuLoader
error
GuLoader
f7be02f5ceebf889ff98f83f55c9de2b825229952abc034529223641d8ff3e31
GuLoader
+ 2'328 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost discovery persistence rat
Link:
https://tria.ge/reports/251021-blejtaslg1/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Remcos
Remcos family
Malware Config
C2 Extraction:
52.15.108.179:2404
Unpacked files
SH256 hash:
b8f225189e10b6eba893191bda9b633b5ae42302aa74323c51373c8069c381fa
MD5 hash:
16d5a40ce5517e26a63d387bc1b0371b
SHA1 hash:
ce6158b63a0e6ed9e5db7b572e9c6d07235b80c9
Link:
https://www.unpac.me/results/70625145-3d4f-45d2-801f-8f8451fe717c/
SH256 hash:
86c8ee210e6611383a634dcb8c60455063ddae3d7adccbeacf3adf7bf2a46676
MD5 hash:
d2e45dd852a659e11897df573832f381
SHA1 hash:
19990ee627c95b6c18d3b5c5f0ec5c24791d0af5
Link:
https://www.unpac.me/results/70625145-3d4f-45d2-801f-8f8451fe717c/
SH256 hash:
c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
MD5 hash:
9625d5b1754bc4ff29281d415d27a0fd
SHA1 hash:
80e85afc5cccd4c0a3775edbb90595a1a59f5ce0
Link:
https://www.unpac.me/results/70625145-3d4f-45d2-801f-8f8451fe717c/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b8f225189e10/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b8f225189e10b6eba893191bda9b633b5ae42302aa74323c51373c8069c381fa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe b8f225189e10b6eba893191bda9b633b5ae42302aa74323c51373c8069c381fa

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/33543/

Comments