MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eab27aeedf308a3d237f41dec18bf293caf228add0410a63b3fda8d57497aae8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GuLoader

Vendor detections: 15

Intelligence 15 IOCs YARA 4 File information Comments

SHA256 hash:	eab27aeedf308a3d237f41dec18bf293caf228add0410a63b3fda8d57497aae8
SHA3-384 hash:	7ed0e6a9c26e5d904b8ce27c197330e5b1196d61a01c859e6fdf1fd3f036f2825424672db127164dfd00aa22309fc3f3
SHA1 hash:	ccf25191a1f631eb4288dbf41c33bface4be593d
MD5 hash:	340ba0c0a4a4f53a3637015b5d41de7c
humanhash:	mountain-uranus-finch-montana
File name:	eab27aeedf308a3d237f41dec18bf293caf228add0410a63b3fda8d57497aae8
Download:	download sample
Signature	GuLoader Create hunting rule
File size:	338'080 bytes
First seen:	2026-06-08 09:36:05 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b34f154ec913d2d2c435cbd644e91687 (587 x GuLoader, 130 x RemcosRAT, 84 x EpsilonStealer)
ssdeep	6144:9mOP320cNWoP78HOpf1iDLl2r4G7fHT6Jlvi4dhMMdCRXcDmXuWnknhrJlYtWp:BtoPdNi/Sfz6Jw8hrdCRXxNEhPYt6
Threatray	2'930 similar samples on MalwareBazaar
TLSH	T1E374122125E0CC67E8734C301F6F9EE6CA7667F943242E8F5344A69869A739C4E3C356
TrID	50.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 10.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 10.5% (.EXE) Win64 Executable (generic) (6522/11/2) 8.1% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
dhash icon	f44888ac4448484c (2 x AgentTesla, 1 x GuLoader)
Reporter	adrian__luca
Tags:	exe GuLoader signed

Code Signing Certificate

Organisation:	Forretningssted
Issuer:	Forretningssted
Algorithm:	sha256WithRSAEncryption
Valid from:	2026-03-19T09:52:54Z
Valid to:	2027-03-19T09:52:54Z
Serial number:	3470e8e0b59dd40e12bc6154e5b826acb9362865
Thumbprint Algorithm:	SHA256
Thumbprint:	fbcdd5864211a9d74602b8e90c5fd16e49d6ecd9b48b8c3e24ab4aa92c7723ff
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

GuLoader NSIS

Details

Link:

https://research.acce.ciphertechsolutions.com/results/6a97d223-3ede-4654-bd20-14b9f7ab0517/

Malware family:

remcos

ID:

File name:

tar

Verdict:

Malicious activity

Analysis date:

2026-05-13 08:00:41 UTC

Tags:

arch-exec auto-reg remcos rat stealer

Link:

https://app.any.run/tasks/5866585e-2554-4297-a0da-081100230e3f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/69844/

Detection(s):

YARA.SIGNATURE_BASE_SUSP_Nullsoftinst_Combo_Oct20_1.UNOFFICIAL

SecuriteInfo.com.NSIS.MalwareX-gen.41663133.UNOFFICIAL

Verdict:

Malicious

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a042fcaaa2b27a55c89cd4d

Tags:

injection obfusc crypt

Result

Verdict:

Malware

Maliciousness:

Behaviour

Connection attempt

Creating a window

Searching for the window

Creating a file

Delayed reading of the file

Creating a file in the %temp% subdirectories

Unauthorized injection to a recently created process

Restart of the analyzed sample

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

adaptive-context anti-debug base64 explorer guloader installer installer installer-heuristic lolbin microsoft_visual_cc nsis reconnaissance signed

Link:

https://www.filescan.io/uploads/6a268ddfbf16337e43bb27e5/reports/dabe4f6e-04a8-4582-9769-d47b0edf8ab1/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/eab27aeedf308a3d237f41dec18bf293caf228add0410a63b3fda8d57497aae8

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-05-11T21:46:00Z UTC

Last seen:

2026-06-07T04:08:00Z UTC

Hits:

~1000

Link:

https://opentip.kaspersky.com/eab27aeedf308a3d237f41dec18bf293caf228add0410a63b3fda8d57497aae8/results?tab=lookup

Malware family:

Unlabeled

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/e071a560-937e-46fb-8484-2088fd897ff0

Score:

77%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/eab27aeedf308a3d237f41dec18bf293caf228add0410a63b3fda8d57497aae8

Gathering data

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/eab27aeedf308a3d237f41dec18bf293caf228add0410a63b3fda8d57497aae8/

Threat name:

Win32.Trojan.Ravartar

Status:

Malicious

First seen:

2026-05-12 00:19:39 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 38 (63.16%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5kzhv3w7gcfd2i37ihpmdc7sspfpekfn2baquy5t7wunk5exvlua._file

Verdict:

malicious

Label(s):

cloudeye

GuLoader

393f30348ea8776aa8d647b548afb06f03a56b5b212c5eaae7f306121cf3b57e

GuLoader

4e11fd9ebcd710646c1c685691837f3e2d4983e9232279ece12a6db9be569ba1

GuLoader

523a09b4d2a3041cf4fa5de52aa73d3caa049147209faf3f3f854819d5ed5ffb

GuLoader

d176fe5a5daf624834ecda3144e11ca2c3395de8cde5eed0263bb3caac597096

GuLoader

e4236b751a47d5b200cf57601fa4be5fde3478ec72bfc429c237b5e5c98fe728

GuLoader

+ 2'920 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery persistence

Link:

https://tria.ge/reports/260608-lmbvesct2y/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Adds Run key to start application

Loads dropped DLL

Unpacked files

SH256 hash:

eab27aeedf308a3d237f41dec18bf293caf228add0410a63b3fda8d57497aae8

MD5 hash:

340ba0c0a4a4f53a3637015b5d41de7c

SHA1 hash:

ccf25191a1f631eb4288dbf41c33bface4be593d

Link:

https://www.unpac.me/results/6b4fd6f4-52a5-4135-a827-da7ee6010bba/

SH256 hash:

86c8ee210e6611383a634dcb8c60455063ddae3d7adccbeacf3adf7bf2a46676

MD5 hash:

d2e45dd852a659e11897df573832f381

SHA1 hash:

19990ee627c95b6c18d3b5c5f0ec5c24791d0af5

Link:

https://www.unpac.me/results/6b4fd6f4-52a5-4135-a827-da7ee6010bba/

SH256 hash:

c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448

MD5 hash:

9625d5b1754bc4ff29281d415d27a0fd

SHA1 hash:

80e85afc5cccd4c0a3775edbb90595a1a59f5ce0

Link:

https://www.unpac.me/results/6b4fd6f4-52a5-4135-a827-da7ee6010bba/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Detect_NSIS_Nullsoft_Installer Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects NSIS installers by .ndata section + NSIS header string

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	SUSP_NullSoftInst_Combo_Oct20_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects suspicious NullSoft Installer combination with common Copyright strings
Reference:	https://twitter.com/malwrhunterteam/status/1313023627177193472

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/69844/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample