guloader | 5848b5efeea58c2c353b352f7f0d2043dc806cb9d387ca6206562773c95cb37e | Triage

Submit
Reports

Overview

overview

Static

static

New#PO-910974.pdf.exe

windows7_x64

New#PO-910974.pdf.exe

windows10_x64

Sharing

General

Target

New#PO-910974.pdf.exe
Size

136KB
Sample

210420-1fv3cpw8bj
MD5

a5927ee08778a03b9a85bdbe8614045c
SHA1

b11323997a972820db34d5353f89327de427c2a7
SHA256

5848b5efeea58c2c353b352f7f0d2043dc806cb9d387ca6206562773c95cb37e
SHA512

60150f9a1a23685ecfce5359076d815359b62800d99ac580ea6c4272e85b5065365ef582eccc67e01c7db1128b37c6b76d3cc429bd47edade7468fa78db690a0

Score

10^/10

guloader oski discovery downloader guloader infostealer spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

New#PO-910974.pdf.exe

Resource

win7v20210410

guloader oski discovery downloader guloader infostealer spyware stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

New#PO-910974.pdf.exe

Resource

win10v20210408

guloader oski discovery downloader guloader infostealer spyware stealer

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

guloader

C2

https://drive.google.com/uc?export=download&id=1Mt156cEQBM8iCmgCoxOvvzyFlkQ-bWCX

xor.base64

Extracted

Family

oski

C2

45.85.90.86

Targets

- Target
  
  New#PO-910974.pdf.exe
- Size
  
  136KB
- MD5
  
  a5927ee08778a03b9a85bdbe8614045c
- SHA1
  
  b11323997a972820db34d5353f89327de427c2a7
- SHA256
  
  5848b5efeea58c2c353b352f7f0d2043dc806cb9d387ca6206562773c95cb37e
- SHA512
  
  60150f9a1a23685ecfce5359076d815359b62800d99ac580ea6c4272e85b5065365ef582eccc67e01c7db1128b37c6b76d3cc429bd47edade7468fa78db690a0
Score

10^/10

guloader oski discovery downloader guloader infostealer spyware stealer
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Oski
  Oski is an infostealer targeting browser data, crypto wallets.
  infostealer oski
- Guloader Payload
  guloader
- Downloads MZ/PE file
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

guloaderoskidiscoverydownloaderguloaderinfostealerspywarestealer

behavioral2

guloaderoskidiscoverydownloaderguloaderinfostealerspywarestealer

© 2018-2024

Terms | Privacy