guloader | f2a3035856ea842d20d4b392bbef15c45f8485186174b32e3215282bce0d5ead | Triage

Analysis

max time kernel
98s
max time network
113s
platform
windows10_x64
resource
win10v20210410
submitted
27-07-2021 08:11

Sharing

Report Analysis Logs

General

Target

March Purchase Order.bat.exe
Size

168KB
MD5

88e4ab4f1cdc03675e92f722a71cebda
SHA1

f0163c37556d016942db3f2690161cc84a3aaffa
SHA256

ff9915094e0004d3a6918ebbd606bbca77efa8ab55f1aab1882bd02ef8093283
SHA512

ee56d7012168bcad5a5dda24dc3e215025a910c91dec6b0f17cbc68954895430ca380cda4972d98328127b05dafe333c1a8b995e64be405674a11d8f313c1777

Score

10^/10

guloader downloader guloader

Malware Config

Extracted

Family

guloader

C2

https://onedrive.live.com/download?cid=26BBD7D5AD88DD29&resid=26BBD7D5AD88DD29%21115&authkey=ACIPfa3gbIQqcvU

xor.base64

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Guloader Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3424-116-0x00000000001C0000-0x00000000001CB000-memory.dmp	family_guloader

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

March Purchase Order.bat.exe

pid process

3424 March Purchase Order.bat.exe

C:\Users\Admin\AppData\Local\Temp\March Purchase Order.bat.exe
"C:\Users\Admin\AppData\Local\Temp\March Purchase Order.bat.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:3424

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3424-116-0x00000000001C0000-0x00000000001CB000-memory.dmp

Filesize
44KB

Download
memory/3424-117-0x00007FF8504F0000-0x00007FF8506CB000-memory.dmp

Filesize
1.9MB

Download