MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e9b9e9b3ba47548c9f0937837bf16550f573c25f7405e8cfbf45519d79ccde4e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e9b9e9b3ba47548c9f0937837bf16550f573c25f7405e8cfbf45519d79ccde4e
SHA3-384 hash: 5fe7050637bad551410a1f0dfd068d051e4323f71f1c458ebd2bdd8affa388fda7aa4b84c7d16a8160415710148779a3
SHA1 hash: a0a473dd0296e295d3802c77bbe5766ffb333b0b
MD5 hash: b0e14b749d6ea74efedde6ca496b45d0
humanhash: dakota-nitrogen-fourteen-beer
File name:rDirectricesdepol__ticasparaempleados_2026_pdf.exe
Download: download sample
Signature GuLoader
Create hunting rule
File size:369'264 bytes
First seen:2026-06-22 02:00:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6e7f9a29f2c85394521a08b9f31f6275 (320 x GuLoader, 63 x RemcosRAT, 55 x VIPKeylogger)
ssdeep 6144:IMm4CCEv3liZFEDwxQRy4Cm4k2WQ5s9PxVVuVGNZJWG7JtmkfCTydOjkY3NAC:IMw3v3lisDpRfr4c6iPxVVuVG577mkfy
Threatray 2'371 similar samples on MalwareBazaar
TLSH T1E674126161E5D87AC9645731DC3A07FAA485FD1AC4B48A0B73C17E6939B13C2EE0EB24
TrID 50.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
10.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.5% (.EXE) Win64 Executable (generic) (6522/11/2)
8.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon e4c4cec6c4c4e4f4 (2 x AgentTesla, 1 x GuLoader)
Reporter FXOLabs
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:Exceptionably
Issuer:Exceptionably
Algorithm:sha256WithRSAEncryption
Valid from:2026-05-03T04:59:10Z
Valid to:2027-05-03T04:59:10Z
Serial number: 27f16f267741db5a122deb698b6a43e7411b0834
Thumbprint Algorithm:SHA256
Thumbprint: a735d252cacb23b78c1d1f305131af022cfba75558c3dd81588307982fe84865
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
135
Origin country :
BR BR
Vendor Threat Intelligence
Malware configuration found for:
GuLoader NSIS
Details
Link:
https://research.acce.ciphertechsolutions.com/results/79852e12-a11b-4db2-b6e3-fe12c3cb8746/
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
_1f3e92fb275fbea7f31629cfc5621c0e190d0ac7f97bde500b8c029ae2fa1fd1.rar
Verdict:
Malicious activity
Analysis date:
2026-06-22 01:32:21 UTC
Tags:
arch-exec ip-check evasion stealer agenttesla
Link:
https://app.any.run/tasks/e3668fe8-b5e5-4de1-88c9-304824a3e4d9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/71455/
Detection(s):
SecuriteInfo.com.Trojan.Inject6.15694.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a38908286bc95245bf872e6
Tags:
underscore shellcode injection obfusc
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file
Creating a file in the %temp% subdirectories
Delayed reading of the file
Unauthorized injection to a recently created process
Restart of the analyzed sample
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context anti-debug base64 base64 installer installer installer-heuristic masquerade microsoft_visual_cc nsis packed reconnaissance signed
Link:
https://www.filescan.io/uploads/6a3897629de4cf364c10079c/reports/567fae86-1ae0-462f-acbc-49a9ee4c2f98/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/e9b9e9b3ba47548c9f0937837bf16550f573c25f7405e8cfbf45519d79ccde4e
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-06-21T22:31:00Z UTC
Last seen:
2026-06-21T22:58:00Z UTC
Hits:
~100
Detections:
PDM:Trojan.Win32.Badex.d Trojan.Win32.Guloader.sb Trojan.NSIS.Makoob.sba Trojan-PSW.Win32.Stealer.sb Trojan-PSW.MSIL.Agensla.sb Trojan-PSW.MSIL.Agensla.d HEUR:Trojan-Downloader.Win32.Minix.gen Trojan.Win64.Agent.sb Trojan-Downloader.Win32.Minix.sb HEUR:Trojan.NSIS.GuLoader.gen
Link:
https://opentip.kaspersky.com/e9b9e9b3ba47548c9f0937837bf16550f573c25f7405e8cfbf45519d79ccde4e/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d0976633-60b6-4680-be90-380822bd4aab
Score:
82%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e9b9e9b3ba47548c9f0937837bf16550f573c25f7405e8cfbf45519d79ccde4e
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/b0e14b749d6ea74efedde6ca496b45d0
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e9b9e9b3ba47548c9f0937837bf16550f573c25f7405e8cfbf45519d79ccde4e/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-06-22 01:31:39 UTC
File Type:
PE (Exe)
Extracted files:
15
AV detection:
7 of 36 (19.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5g46tm52i5kizhyjg6bxx4lfkd2xhqs7oqc6rt57iviz26om3zha._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
30829f3086c52d01a07501ea2ef51c0c94ae8045777e117feb7b41cb0743c421
GuLoader
48caa1c5b9a6b41f64e6f01f74a6ed1623459c064235f772d832153274944fe2
GuLoader
551863be2e92aa2d319a92cda72bc2123233ee3a7e965ee691fd70d88c21d772
GuLoader
60d7ecfa5459d57946bad25c71577ddff454bde012fd802d340830a6a6a4d94f
GuLoader
7f7bbf3140da87669d82e80a8b58c1a982fbd864fbaab92ec14b1c063574972b
GuLoader
803d4ec06466ca32c6f4e2dd79d42d8b6b33b858d393f59f3cce2794981d41f8
GuLoader
841bd3307cb1a34c5f6a907217bd09c5e4d9e7500e2863a8cd956793014d5f2e
GuLoader
dd6d8363c2761f77948a54be192dbbe563d2da9dd8f922102547631ccbd05ebb
GuLoader
eadedc1029829676460e4a64eabd39a11f3753767c000d48cc55a584a5e5a143
GuLoader
error
GuLoader
+ 2'361 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla adware collection discovery keylogger persistence ransomware spyware stealer trojan
Link:
https://tria.ge/reports/260622-cfqwbshs9s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Family: AgentTesla
Unpacked files
SH256 hash:
e9b9e9b3ba47548c9f0937837bf16550f573c25f7405e8cfbf45519d79ccde4e
MD5 hash:
b0e14b749d6ea74efedde6ca496b45d0
SHA1 hash:
a0a473dd0296e295d3802c77bbe5766ffb333b0b
Link:
https://www.unpac.me/results/9cf6730e-30ae-4dfd-880f-bde235623e83/
SH256 hash:
09acfc5ee34a1dfa1af3a9d34f00c3b1327b56641feebd536e13752349c08ac8
MD5 hash:
014a3be4a7c1ccb217916dbf4f222bd1
SHA1 hash:
9b4c41eb0e84886beb5591d8357155e27f9c68ed
Link:
https://www.unpac.me/results/9cf6730e-30ae-4dfd-880f-bde235623e83/
SH256 hash:
6bf9cccd8a600f4d442efe201e8c07b49605ba35f49a4b3ab22fa2641748e156
MD5 hash:
48f3e7860e1de2b4e63ec744a5e9582a
SHA1 hash:
420c64d802a637c75a53efc8f748e1aede3d6dc6
Link:
https://www.unpac.me/results/9cf6730e-30ae-4dfd-880f-bde235623e83/
SH256 hash:
7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5
MD5 hash:
564bb0373067e1785cba7e4c24aab4bf
SHA1 hash:
7c9416a01d821b10b2eef97b80899d24014d6fc1
Link:
https://www.unpac.me/results/9cf6730e-30ae-4dfd-880f-bde235623e83/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e9b9e9b3ba47/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.58
Link:
https://yomi.yoroi.company/submissions/e9b9e9b3ba47548c9f0937837bf16550f573c25f7405e8cfbf45519d79ccde4e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

Executable exe e9b9e9b3ba47548c9f0937837bf16550f573c25f7405e8cfbf45519d79ccde4e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/71455/

Comments