MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb5fc7e49f6281fc8df937ee858b84bb283c589d4d5ef34c4591e095204fde1f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



GuLoader


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash: bb5fc7e49f6281fc8df937ee858b84bb283c589d4d5ef34c4591e095204fde1f
SHA3-384 hash: 952341060031d955992588f73583b769c38f4d68752044c05b60b0bd231d9bc49267106a335c0331a1cdd39edd11c4ad
SHA1 hash: b2d15d5a6d91c71b3331f30f3bbf223061c519e4
MD5 hash: 1d8dde3f6b8bea3329369c65ca22c7e2
humanhash: five-nineteen-louisiana-avocado
File name:WSAPW0650867.exe
Download: download sample
Signature GuLoader
File size:911'792 bytes
First seen:2025-11-05 14:57:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6e7f9a29f2c85394521a08b9f31f6275 (320 x GuLoader, 63 x RemcosRAT, 56 x AgentTesla)
ssdeep 24576:QMwSlTnK9XRBM9CEknM7Cc1fmP7khz1zuc7JM:QMwOnmX3MYVM7CgOP2z1X7JM
Threatray 2'192 similar samples on MalwareBazaar
TLSH T1D4152339F194D447C6A08F715EAE899DC6F4BD9119B94A3A1F103FAAAF31B12C90F305
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter lowmal3
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:Shirks
Issuer:Shirks
Algorithm:sha256WithRSAEncryption
Valid from:2025-10-30T09:55:25Z
Valid to:2026-10-30T09:55:25Z
Serial number: 533243d9f5d7a311879c2c035155c2ec09730ddc
Thumbprint Algorithm:SHA256
Thumbprint: 3fec216486222ff9e2c5abb275c9220f22b68e83df4d5c5b7c96e973b7dbace5
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence


File Origin
# of uploads :
1
# of downloads :
109
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
GLORIOU SEA PARTICULARS.exe
Verdict:
No threats detected
Analysis date:
2025-11-05 10:22:17 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
93.3%
Tags:
uloader dropper virus
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file
Creating a file in the %temp% directory
Delayed reading of the file
Unauthorized injection to a recently created process
Restart of the analyzed sample
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context anti-debug blackhole installer installer installer-heuristic microsoft_visual_cc nsis overlay signed smb
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-04T23:06:00Z UTC
Last seen:
2025-11-05T11:50:00Z UTC
Hits:
~1000
Result
Threat name:
Remcos, GuLoader, Snake Keylogger
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious PE digital signature
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Detected Remcos RAT
Drops PE files with a suspicious file extension
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected GuLoader
Yara detected Remcos RAT
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1808655 Sample: WSAPW0650867.exe Startdate: 05/11/2025 Architecture: WINDOWS Score: 100 88 reallyfreegeoip.org 2->88 90 api.telegram.org 2->90 92 4 other IPs or domains 2->92 112 Suricata IDS alerts for network traffic 2->112 114 Found malware configuration 2->114 116 Malicious sample detected (through community Yara rule) 2->116 122 13 other signatures 2->122 12 WSAPW0650867.exe 3 81 2->12         started        16 DqTAjFvd.exe 2->16         started        18 remcos.exe 35 2->18         started        20 remcos.exe 8 2->20         started        signatures3 118 Tries to detect the country of the analysis system (by using the IP) 88->118 120 Uses the Telegram API (likely for C&C communication) 90->120 process4 file5 80 C:\Users\user\...\unwarrantableness.ant, COM 12->80 dropped 82 C:\Users\user\AppData\Local\...\System.dll, PE32 12->82 dropped 144 Tries to detect virtualization through RDTSC time measurements 12->144 146 Switches to a custom stack to bypass stack traces 12->146 148 Found direct / indirect Syscall (likely to bypass EDR) 12->148 22 WSAPW0650867.exe 2 10 12->22         started        27 DqTAjFvd.exe 16->27         started        29 schtasks.exe 16->29         started        31 DqTAjFvd.exe 16->31         started        35 3 other processes 16->35 84 C:\Users\user\AppData\Local\...\System.dll, PE32 18->84 dropped 33 remcos.exe 18->33         started        signatures6 process7 dnsIp8 94 drive.google.com 142.250.64.110, 443, 49722, 49725 GOOGLEUS United States 22->94 96 drive.usercontent.google.com 142.250.65.225, 443, 49723, 49726 GOOGLEUS United States 22->96 76 C:\ProgramData\Remcos\remcos.exe, PE32 22->76 dropped 78 C:\ProgramData\...\remcos.exe:Zone.Identifier, ASCII 22->78 dropped 136 Detected Remcos RAT 22->136 138 Creates autostart registry keys with suspicious names 22->138 37 remcos.exe 35 22->37         started        140 Tries to steal Mail credentials (via file / registry access) 27->140 142 Tries to harvest and steal browser information (history, passwords, etc) 27->142 41 conhost.exe 29->41         started        file9 signatures10 process11 file12 74 C:\Users\user\AppData\Local\...\System.dll, PE32 37->74 dropped 128 Drops PE files with a suspicious file extension 37->128 130 Tries to detect virtualization through RDTSC time measurements 37->130 132 Switches to a custom stack to bypass stack traces 37->132 134 Found direct / indirect Syscall (likely to bypass EDR) 37->134 43 remcos.exe 4 9 37->43         started        signatures13 process14 dnsIp15 104 196.251.70.24, 2404, 49727, 49730 Web4AfricaZA Seychelles 43->104 86 C:\Users\user\AppData\...\7hePscpNlBfsKA9.com, PE32 43->86 dropped 150 Detected Remcos RAT 43->150 152 Found direct / indirect Syscall (likely to bypass EDR) 43->152 48 7hePscpNlBfsKA9.com 43->48         started        file16 signatures17 process18 file19 70 C:\Users\user\AppData\Roaming\DqTAjFvd.exe, PE32 48->70 dropped 72 C:\Users\user\AppData\Local\...\tmpDE23.tmp, XML 48->72 dropped 106 Uses schtasks.exe or at.exe to add and modify task schedules 48->106 108 Adds a directory exclusion to Windows Defender 48->108 110 Injects a PE file into a foreign processes 48->110 52 powershell.exe 48->52         started        55 powershell.exe 48->55         started        57 7hePscpNlBfsKA9.com 48->57         started        60 2 other processes 48->60 signatures20 process21 dnsIp22 124 Loading BitLocker PowerShell Module 52->124 62 conhost.exe 52->62         started        64 WmiPrvSE.exe 52->64         started        66 conhost.exe 55->66         started        98 api.telegram.org 149.154.167.220, 443, 49750, 49760 TELEGRAMRU United Kingdom 57->98 100 checkip.dyndns.com 193.122.130.0, 49731, 49733, 49735 ORACLE-BMC-31898US United States 57->100 102 reallyfreegeoip.org 172.67.177.134, 443, 49732, 49734 CLOUDFLARENETUS United States 57->102 126 Tries to steal Mail credentials (via file / registry access) 57->126 68 conhost.exe 60->68         started        signatures23 process24
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86
Threat name:
Win32.Trojan.GuLoader
Status:
Malicious
First seen:
2025-11-05 05:32:03 UTC
File Type:
PE (Exe)
Extracted files:
40
AV detection:
17 of 38 (44.74%)
Threat level:
  5/5
Result
Malware family:
snakekeylogger
Score:
  10/10
Tags:
family:remcos family:snakekeylogger botnet:remotehost collection discovery execution keylogger persistence rat spyware stealer
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Remcos
Remcos family
Snake Keylogger
Snake Keylogger payload
Snakekeylogger family
Malware Config
C2 Extraction:
196.251.70.24:2404
196.251.70.24:5000
https://api.telegram.org/bot8434131023:AAFPL4u4Vq8RqzzmwFhGnt3I6-lK08CV3Ao/sendMessage?chat_id=6616930993
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Unpacked files
SH256 hash:
bb5fc7e49f6281fc8df937ee858b84bb283c589d4d5ef34c4591e095204fde1f
MD5 hash:
1d8dde3f6b8bea3329369c65ca22c7e2
SHA1 hash:
b2d15d5a6d91c71b3331f30f3bbf223061c519e4
SH256 hash:
7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5
MD5 hash:
564bb0373067e1785cba7e4c24aab4bf
SHA1 hash:
7c9416a01d821b10b2eef97b80899d24014d6fc1
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_NSIS_Nullsoft_Installer
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:PE_Digital_Certificate
Author:albertzsigovits

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe bb5fc7e49f6281fc8df937ee858b84bb283c589d4d5ef34c4591e095204fde1f

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments