MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef359edd8f7e64c1582b3072a92cf1cc6e1302ec21454b42133ba3a63692e92f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 8


Intelligence 8 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ef359edd8f7e64c1582b3072a92cf1cc6e1302ec21454b42133ba3a63692e92f
SHA3-384 hash: a38b6c383657fbcd00e2f197af3fb1c7688418f706a7e483f64c557c989576611312db77f283a746f34cdae57e679051
SHA1 hash: 496fb09a448c6c864a005bac56117f928fc18bfa
MD5 hash: a640f31c4702d7c9dde803304f1c6703
humanhash: sodium-michigan-zebra-freddie
File name:scan.gz
Download: download sample
Signature GuLoader
Create hunting rule
File size:1'285'506 bytes
First seen:2025-09-12 13:19:37 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 24576:szrWCUDjrTxFXQFcKQrH4Udji3VEmOA4zcwfv5RfUUlv+m+klGG5:0YjZFXTKQrYUdjVm4w4v524v/GQ
TLSH T1825533D7BEF6FB78638F49DE55F8498A0D4567E13328092A0466D861DF2E35AB383031
Magika zip
Reporter cocaman
Tags:GuLoader gz payment zip


Avatar
cocaman
Malicious email (T1566.001)
From: "Aaron Fiseha <kaia@reelgreat.com>" (likely spoofed)
Received: "from stick.reelgreat.com (stick.reelgreat.com [94.156.175.98]) "
Date: "12 Sep 2025 06:19:03 -0700"
Subject: "New Order Payment - US$ 38.000"
Attachment: "scan.gz"

Intelligence

File Origin
# of uploads :
1
# of downloads :
104
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:scan.exe
File size:1'315'560 bytes
SHA256 hash: 3a11ba9d0fe917eca75c6038281c7bd55dea9ce1e0dc1b478d55e2592e6f846f
MD5 hash: 474280a75227be516c65a443fef9d8d6
MIME type:application/x-dosexec
Signature GuLoader
Vendor Threat Intelligence
Verdict:
Clean
Score:
89.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c3ca0ab2005259887a027a
Tags:
n/a
Result
Verdict:
Unknown
File Type:
PE File
Link:
https://app.docguard.net/ef359edd8f7e64c1582b3072a92cf1cc6e1302ec21454b42133ba3a63692e92f/results/dashboard
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug blackhole installer microsoft_visual_cc nsis overlay packed signed
Link:
https://www.filescan.io/uploads/68c41e225ebd1d861ec451d6/reports/83e69ee5-96ca-4249-9b01-0e0af324f3dd/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/ef359edd8f7e64c1582b3072a92cf1cc6e1302ec21454b42133ba3a63692e92f
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/ef359edd8f7e64c1582b3072a92cf1cc6e1302ec21454b42133ba3a63692e92f
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
File Type:
zip
First seen:
2025-09-12T01:00:00Z UTC
Last seen:
2025-09-12T01:00:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/ef359edd8f7e64c1582b3072a92cf1cc6e1302ec21454b42133ba3a63692e92f/results?tab=lookup
Score:
84%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/ef359edd8f7e64c1582b3072a92cf1cc6e1302ec21454b42133ba3a63692e92f
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Zip Archive
Link:
https://app.malva.re/file/a640f31c4702d7c9dde803304f1c6703
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ef359edd8f7e64c1582b3072a92cf1cc6e1302ec21454b42133ba3a63692e92f/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2025-09-12 04:26:26 UTC
File Type:
Binary (Archive)
Extracted files:
11
AV detection:
12 of 23 (52.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=542z5xmppzsmcwblgbzkslhrzrxbgaxmefcuwqqthor2mnus5exq._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos discovery rat
Link:
https://tria.ge/reports/250912-rh5jtsytcz/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Remcos
Remcos family
Malware Config
C2 Extraction:
196.251.80.39:2404
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.33
Link:
https://yomi.yoroi.company/submissions/ef359edd8f7e64c1582b3072a92cf1cc6e1302ec21454b42133ba3a63692e92f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

zip ef359edd8f7e64c1582b3072a92cf1cc6e1302ec21454b42133ba3a63692e92f

(this sample)

GuLoader

Executable exe 3a11ba9d0fe917eca75c6038281c7bd55dea9ce1e0dc1b478d55e2592e6f846f

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 3a11ba9d0fe917eca75c6038281c7bd55dea9ce1e0dc1b478d55e2592e6f846f
  
Dropping
GuLoader
  
Dropping
MD5 474280a75227be516c65a443fef9d8d6

Comments