MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d62df4ba5f0d91a4380436b05302e0b89388f058825a91f5ff756b96a9acdd5f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d62df4ba5f0d91a4380436b05302e0b89388f058825a91f5ff756b96a9acdd5f
SHA3-384 hash: 87004fe59aef3f843237dd0a757c5652140584cf8c8dfe9f8240e1a01335c8f12a46b1cb25384fdc86d60df79f337a31
SHA1 hash: be65f7fd0293b311c85de6896b32785a9e37c544
MD5 hash: 158003b5e5802fa7d96449a8c76b4b3d
humanhash: spring-princess-avocado-virginia
File name:r09485766-202509240011173645.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:991'080 bytes
First seen:2025-09-24 11:00:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9a16e282eba7cc710070c0586c947693 (26 x GuLoader, 11 x VIPKeylogger, 7 x RemcosRAT)
ssdeep 24576:HTzSQXAdMOz1QkWf4lhLeB+k/V4KRUMfzKXlxJRrhLH:zzrAGOC+DqB+kaKRUMLKVXRNb
Threatray 1'411 similar samples on MalwareBazaar
TLSH T14D25232016F1BC62C51DA8B0D05E170BAEB6CE2254A4BF62FB44F5D6F1F48A7D92D603
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter FXOLabs
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:Reagans
Issuer:Reagans
Algorithm:sha256WithRSAEncryption
Valid from:2025-07-29T02:19:03Z
Valid to:2026-07-29T02:19:03Z
Serial number: 3d6ab93a06fca1ec59e2a10eb63b6981124a7ceb
Thumbprint Algorithm:SHA256
Thumbprint: 54c7ce1812ed1a1ea9b6a61cc74c324a1a162d8bda0bd56435068488f9dda44e
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
116
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
r09485766-202509240011173645.exe
Verdict:
Malicious activity
Analysis date:
2025-09-24 11:02:03 UTC
Tags:
evasion stealer ultravnc rmm-tool exfiltration smtp
Link:
https://app.any.run/tasks/cb188e7b-6446-428e-b289-7a00dd51b7cd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/28772/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68d53ee6cc9425144151cd40
Tags:
obfuscate xtreme virus nsis
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug blackhole installer microsoft_visual_cc nsis overlay signed
Link:
https://www.filescan.io/uploads/68d3cf6374e5a2898990d689/reports/2b041ea3-6695-466f-9911-9cc214a81c8a/overview
Verdict:
Malicious
Labled as:
Malware_58.6
Link:
https://www.hybrid-analysis.com/sample/d62df4ba5f0d91a4380436b05302e0b89388f058825a91f5ff756b96a9acdd5f
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-24T05:18:00Z UTC
Last seen:
2025-09-24T05:18:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.NSIS.Kryptik.gen Trojan.NSIS.Makoob.sbe Trojan.NSIS.Makoob.sba
Link:
https://opentip.kaspersky.com/d62df4ba5f0d91a4380436b05302e0b89388f058825a91f5ff756b96a9acdd5f/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/8beb6e49-2eb0-4ed6-b6f7-1b2cafcaeb5a
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d62df4ba5f0d91a4380436b05302e0b89388f058825a91f5ff756b96a9acdd5f
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/158003b5e5802fa7d96449a8c76b4b3d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d62df4ba5f0d91a4380436b05302e0b89388f058825a91f5ff756b96a9acdd5f/
Verdict:
Malicious
Threat:
Family.AGENTTESLA
Link:
https://tip.neiki.dev/file/d62df4ba5f0d91a4380436b05302e0b89388f058825a91f5ff756b96a9acdd5f
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2025-09-24 11:00:59 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2yw7jos7bwi2ioaeg2yfgaxaxcjyr4cyqjnjd5p7ovvznknm3vpq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
2be5b104a63deb6addd9d49ffea10cfbefc8c214c2578f4554b6272ca3856899
GuLoader
55d8dc6d475a919fe7ec17bd2575cf0f0a1eec913dba89f9556b69621eec0eb6
GuLoader
5dfcdc1c491fbf2f7f2fbac6bbf27b84be652583b66b252c46e8ed86577c3c60
GuLoader
67fd31f9b85ca5e31e0851c8a5f8f2f36343d884aa3dd7f26d4aa6c5d02b28fe
GuLoader
6e41c3558c6122c83651b46fc54362ea9acc66870f54a04f85d14dfa3069edef
GuLoader
a8b9acc89b79999ac9ff94155b6d040b56134d446f6ca934dc000ae8c09c9e9c
GuLoader
d223a2f132ab3c96f3d16cfdb00d11efce9d9068ee2627c089a76d1e15274656
GuLoader
dd6d8363c2761f77948a54be192dbbe563d2da9dd8f922102547631ccbd05ebb
GuLoader
error
GuLoader
+ 1'401 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla discovery installer keylogger spyware stealer trojan
Link:
https://tria.ge/reports/250924-m4e4vaw1gx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Badlisted process makes network request
Looks up external IP address via web service
Checks computer location settings
AgentTesla
Agenttesla family
Verdict:
Malicious
Tags:
loader guloader
YARA:
NSIS_GuLoader_July_2024
Link:
https://app.threat.zone/submission/207f5529-efeb-4d6c-819a-6ac374d4acc5
Unpacked files
SH256 hash:
d62df4ba5f0d91a4380436b05302e0b89388f058825a91f5ff756b96a9acdd5f
MD5 hash:
158003b5e5802fa7d96449a8c76b4b3d
SHA1 hash:
be65f7fd0293b311c85de6896b32785a9e37c544
Link:
https://www.unpac.me/results/864113e7-8500-4cad-9b46-56128742a130/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d62df4ba5f0d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d62df4ba5f0d91a4380436b05302e0b89388f058825a91f5ff756b96a9acdd5f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe d62df4ba5f0d91a4380436b05302e0b89388f058825a91f5ff756b96a9acdd5f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/28772/

Comments