MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8f6dad64c78b9767d8c2004c05bce64d30d8d268276dfff4adab45781e6fe1c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 18

Intelligence 18 IOCs YARA 2 File information Comments

SHA256 hash:	d8f6dad64c78b9767d8c2004c05bce64d30d8d268276dfff4adab45781e6fe1c
SHA3-384 hash:	fc09dc10503270e3da4a88925c478521778367711115d8208b067127253fb11b7179d2d2a9dd9de2ce81685bca1f3738
SHA1 hash:	b5b6ca51a18389e8d0fb624bd0d876041b5cdfa9
MD5 hash:	7440e0323df806c324ebcc97306687db
humanhash:	tango-two-october-winner
File name:	rShippingDocuments.exe
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	621'208 bytes
First seen:	2026-01-27 21:00:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b34f154ec913d2d2c435cbd644e91687 (557 x GuLoader, 119 x RemcosRAT, 82 x EpsilonStealer)
ssdeep	12288:S4nN/ojCzVAuxcKxRhg4j6i+5br0GETP7G16EHrx4Fgr:dNAmAuxY42nr0GcrW+gr
Threatray	2'527 similar samples on MalwareBazaar
TLSH	T160D4E10A7134449EF9105B3100F7A21FACA9EDE4BE735A5E0333FD665B729012EC7A69
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	FXOLabs
Tags:	exe GuLoader signed

Code Signing Certificate

Organisation:	Ssterligt
Issuer:	Ssterligt
Algorithm:	sha256WithRSAEncryption
Valid from:	2025-12-04T05:44:30Z
Valid to:	2026-12-04T05:44:30Z
Serial number:	77bdc88dfbd07f8835390a57174bdab33be4c782
Thumbprint Algorithm:	SHA256
Thumbprint:	67ef050f576d312e9f0f32add8f2308af6c623618fdb37195bce4c06ded85480
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

140

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

NSIS

Details

Link:

https://research.acce.ciphertechsolutions.com/results/c65e638f-24df-4231-936e-ec550dd2b7fc/

Malware family:

remcos

ID:

File name:

rShippingDocuments.exe

Verdict:

Malicious activity

Analysis date:

2026-01-27 21:00:47 UTC

Tags:

remcos rat auto-reg

Link:

https://app.any.run/tasks/ac617911-a994-4ac3-ae76-de5655ab7335

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/50443/

Detection(s):

Porcupine.NSIS.Injector.ELK.487964.UNOFFICIAL

Verdict:

Malicious

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=697927906fa3eed1652fa182

Tags:

injection obfusc

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Creating a file

DNS request

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

adaptive-context anti-debug blackhole CAB installer installer installer-heuristic masquerade microsoft_visual_cc nsis signed soft-404

Link:

https://www.filescan.io/uploads/6979278512c4ad8c08580b1a/reports/565dd457-e350-4617-828e-cfe02993e35c/overview

Verdict:

Malicious

Labled as:

Agent.KXP.gen

Link:

https://www.hybrid-analysis.com/sample/d8f6dad64c78b9767d8c2004c05bce64d30d8d268276dfff4adab45781e6fe1c

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-01-27T17:07:00Z UTC

Last seen:

2026-01-29T13:47:00Z UTC

Hits:

~10000

Detections:

HEUR:Backdoor.Win32.Remcos.gen BSS:Trojan.Win32.Generic.nblk BSS:Trojan.Win32.Generic Trojan-Downloader.Win32.Minix.sb Trojan.Win32.Guloader.sb HEUR:Trojan-Dropper.Win32.Agentb.gen VHO:Backdoor.Win32.Remcos.gen

Link:

https://opentip.kaspersky.com/d8f6dad64c78b9767d8c2004c05bce64d30d8d268276dfff4adab45781e6fe1c/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/5cdbb50f-3f00-4116-8407-463f0d5239df

Score:

91%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/d8f6dad64c78b9767d8c2004c05bce64d30d8d268276dfff4adab45781e6fe1c

Gathering data

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/d8f6dad64c78b9767d8c2004c05bce64d30d8d268276dfff4adab45781e6fe1c/

Verdict:

Malicious

Threat:

Family.REMCOS

Link:

https://tip.neiki.dev/file/d8f6dad64c78b9767d8c2004c05bce64d30d8d268276dfff4adab45781e6fe1c

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2026-01-27 21:01:11 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

14 of 38 (36.84%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3d3nvvsmpc4xm7mmeacmaw6omtjq3djgqj3n772k3k2fpapg7yoa._file

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:remotehost collection discovery persistence rat

Link:

https://tria.ge/reports/260127-ztweasdx2h/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Drops file in Windows directory

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Accesses Microsoft Outlook accounts

Adds Run key to start application

Contacts third-party web service commonly abused for C2

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Detected Nirsoft tools

NirSoft MailPassView

Remcos

Remcos family

Malware Config

C2 Extraction:

198.23.177.222:2404
198.23.177.222:5000

Unpacked files

SH256 hash:

d8f6dad64c78b9767d8c2004c05bce64d30d8d268276dfff4adab45781e6fe1c

MD5 hash:

7440e0323df806c324ebcc97306687db

SHA1 hash:

b5b6ca51a18389e8d0fb624bd0d876041b5cdfa9

Link:

https://www.unpac.me/results/222a0f00-50f3-48b2-9334-b7fdb26c842f/

SH256 hash:

c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448

MD5 hash:

9625d5b1754bc4ff29281d415d27a0fd

SHA1 hash:

80e85afc5cccd4c0a3775edbb90595a1a59f5ce0

Link:

https://www.unpac.me/results/222a0f00-50f3-48b2-9334-b7fdb26c842f/

Malware family:

GuLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d8f6dad64c78/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d8f6dad64c78b9767d8c2004c05bce64d30d8d268276dfff4adab45781e6fe1c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Detect_NSIS_Nullsoft_Installer Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects NSIS installers by .ndata section + NSIS header string

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

exe d8f6dad64c78b9767d8c2004c05bce64d30d8d268276dfff4adab45781e6fe1c

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/50443/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample