MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d6210cbc747a7c2f1f334d62bcac489e882ac3d13190be999f6fa5b16aec0acc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



GuLoader


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments

SHA256 hash: d6210cbc747a7c2f1f334d62bcac489e882ac3d13190be999f6fa5b16aec0acc
SHA3-384 hash: 280b79809798bf0cd66ff80ee8502b9f997f0f97b63313f587c2085868b922bb2db0674a228b6d32902d59ed546e06c6
SHA1 hash: 9955dde274aba746ac4dcadb86530e3e9df8bb1d
MD5 hash: 104c724056ba4c4eeb6068841ec31791
humanhash: bravo-sierra-early-one
File name:d6210cbc747a7c2f1f334d62bcac489e882ac3d13190be999f6fa5b16aec0acc
Download: download sample
Signature GuLoader
File size:543'405 bytes
First seen:2025-11-06 10:52:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (587 x GuLoader, 130 x RemcosRAT, 84 x EpsilonStealer)
ssdeep 6144:TVGdx6xECvh0uqXgElLp//VmbB45jLSzLNlWHl5EfXNQqAS4PNH/fqeyfr/rtt5I:ZSxFm+LGNlenu4VP1fqr/x2h/CwGLQ
Threatray 2'230 similar samples on MalwareBazaar
TLSH T146C4F0622761CE03F3C252784496E33D4E699EE47D6ACE2363E43DCB7D18B226839153
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon bae6e6b6b494a484 (3 x GuLoader, 3 x RemcosRAT)
Reporter adrian__luca
Tags:exe GuLoader

Intelligence


File Origin
# of uploads :
1
# of downloads :
85
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
ID:
1
File name:
_d6210cbc747a7c2f1f334d62bcac489e882ac3d13190be999f6fa5b16aec0acc.exe
Verdict:
Malicious activity
Analysis date:
2025-11-06 11:06:44 UTC
Tags:
remcos rat auto-reg

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
94.1%
Tags:
injection obfusc virus
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Delayed reading of the file
Creating a file
Restart of the analyzed sample
Gathering data
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-16T18:24:00Z UTC
Last seen:
2025-11-07T09:54:00Z UTC
Hits:
~1000
Detections:
Trojan.Win32.GuLoader.sb PDM:Trojan.Win32.Generic Trojan-Downloader.Win32.Minix.sb Trojan.NSIS.Makoob.sbb HEUR:Trojan-Downloader.Win32.Minix.gen VHO:Trojan.Win32.GuLoader.gen VHO:Backdoor.Win32.Remcos.gen Trojan-Dropper.Win32.Injector.sb Trojan.NSIS.Makoob.sba Backdoor.Win32.Remcos.sb
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86
Threat name:
Win32.Trojan.Guloader
Status:
Malicious
First seen:
2025-10-17 00:10:01 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Result
Malware family:
Score:
  10/10
Tags:
family:guloader family:remcos discovery downloader persistence rat
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Guloader family
Guloader,Cloudeye
Remcos
Remcos family
Malware Config
C2 Extraction:
196.251.118.183:2404
Unpacked files
SH256 hash:
d6210cbc747a7c2f1f334d62bcac489e882ac3d13190be999f6fa5b16aec0acc
MD5 hash:
104c724056ba4c4eeb6068841ec31791
SHA1 hash:
9955dde274aba746ac4dcadb86530e3e9df8bb1d
SH256 hash:
a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
MD5 hash:
75ed96254fbf894e42058062b4b4f0d1
SHA1 hash:
996503f1383b49021eb3427bc28d13b5bbd11977
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_NSIS_Nullsoft_Installer
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments