guloader | 502289d544b27378272f693a139db58e368f4870be91ff2510a4b1c99635ea22

General

Target

Order List from Dunen Enterprise Corporation.exe
Size

128KB
MD5

744d832006910318b2826e4cc8db4b11
SHA1

b58f485d5153dc4cb1a608091e1174d6fc966a4a
SHA256

e015835dd69bbd384cb9b347984b648562281ba9e532ca110b6962bce9262251
SHA512

2ef7a81389e03fe8cdaa42e39e9df842d811b87b97d50e915e01d8fa35e3eaa49f7aaa03aa5a534e3413a636d3bf011ff9774a4b5b2553fbecef24aa8425deb4

Score

10^/10

guloader xloader hhse downloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

hhse

C2

http://www.mx-online-service.xyz/hhse/

Decoy

gujranwala.city

peinture-san-deco.com

disvapes.com

tekst-sanderlei.com

veryfastsnail.com

yaqiong.net

onlinebingocenter.com

kenttreesurgery.com

berislavic.com

ecomemailspack.com

drgustavoteyssier.com

mayfieldslodge.com

qiubaolink.com

kevinkensik.com

boatmanagementexpert.com

dbylkov.com

griffin-designs.com

glowlikethis.com

fuckjules.com

lxqc6688.com

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/748-66-0x0000000000401000-0x00000000004FD000-memory.dmp	xloader
behavioral1/memory/876-73-0x00000000000B0000-0x00000000000D8000-memory.dmp	xloader

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Order List from Dunen Enterprise Corporation.exeOrder List from Dunen Enterprise Corporation.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	Order List from Dunen Enterprise Corporation.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	Order List from Dunen Enterprise Corporation.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1260 cmd.exe

pid	process
1260	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

Order List from Dunen Enterprise Corporation.exeOrder List from Dunen Enterprise Corporation.exe

pid	process
1656	Order List from Dunen Enterprise Corporation.exe
748	Order List from Dunen Enterprise Corporation.exe
748	Order List from Dunen Enterprise Corporation.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Order List from Dunen Enterprise Corporation.exeOrder List from Dunen Enterprise Corporation.exewscript.exe

description	pid	process	target process
PID 1656 set thread context of 748	1656	Order List from Dunen Enterprise Corporation.exe	Order List from Dunen Enterprise Corporation.exe
PID 748 set thread context of 1200	748	Order List from Dunen Enterprise Corporation.exe	Explorer.EXE
PID 876 set thread context of 1200	876	wscript.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Order List from Dunen Enterprise Corporation.exewscript.exe

pid process

748 Order List from Dunen Enterprise Corporation.exe
748 Order List from Dunen Enterprise Corporation.exe
876 wscript.exe
876 wscript.exe

pid	process
748	Order List from Dunen Enterprise Corporation.exe
748	Order List from Dunen Enterprise Corporation.exe
876	wscript.exe
876	wscript.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Order List from Dunen Enterprise Corporation.exeOrder List from Dunen Enterprise Corporation.exewscript.exe

pid	process
1656	Order List from Dunen Enterprise Corporation.exe
748	Order List from Dunen Enterprise Corporation.exe
748	Order List from Dunen Enterprise Corporation.exe
748	Order List from Dunen Enterprise Corporation.exe
876	wscript.exe
876	wscript.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Order List from Dunen Enterprise Corporation.exewscript.exe

description pid process

Token: SeDebugPrivilege 748 Order List from Dunen Enterprise Corporation.exe
Token: SeDebugPrivilege 876 wscript.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Order List from Dunen Enterprise Corporation.exe

pid process

1656 Order List from Dunen Enterprise Corporation.exe

description	pid	process
Token: SeDebugPrivilege	748	Order List from Dunen Enterprise Corporation.exe
Token: SeDebugPrivilege	876	wscript.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Order List from Dunen Enterprise Corporation.exeExplorer.EXEwscript.exe

description	pid	process	target process
PID 1656 wrote to memory of 748	1656	Order List from Dunen Enterprise Corporation.exe	Order List from Dunen Enterprise Corporation.exe
PID 1656 wrote to memory of 748	1656	Order List from Dunen Enterprise Corporation.exe	Order List from Dunen Enterprise Corporation.exe
PID 1656 wrote to memory of 748	1656	Order List from Dunen Enterprise Corporation.exe	Order List from Dunen Enterprise Corporation.exe
PID 1656 wrote to memory of 748	1656	Order List from Dunen Enterprise Corporation.exe	Order List from Dunen Enterprise Corporation.exe
PID 1656 wrote to memory of 748	1656	Order List from Dunen Enterprise Corporation.exe	Order List from Dunen Enterprise Corporation.exe
PID 1200 wrote to memory of 876	1200	Explorer.EXE	wscript.exe
PID 1200 wrote to memory of 876	1200	Explorer.EXE	wscript.exe
PID 1200 wrote to memory of 876	1200	Explorer.EXE	wscript.exe
PID 1200 wrote to memory of 876	1200	Explorer.EXE	wscript.exe
PID 876 wrote to memory of 1260	876	wscript.exe	cmd.exe
PID 876 wrote to memory of 1260	876	wscript.exe	cmd.exe
PID 876 wrote to memory of 1260	876	wscript.exe	cmd.exe
PID 876 wrote to memory of 1260	876	wscript.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1200

C:\Users\Admin\AppData\Local\Temp\Order List from Dunen Enterprise Corporation.exe
"C:\Users\Admin\AppData\Local\Temp\Order List from Dunen Enterprise Corporation.exe"
2⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1656

C:\Users\Admin\AppData\Local\Temp\Order List from Dunen Enterprise Corporation.exe
"C:\Users\Admin\AppData\Local\Temp\Order List from Dunen Enterprise Corporation.exe"
3⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:876

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Order List from Dunen Enterprise Corporation.exe"
3⤵
- Deletes itself
PID:1260

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/748-62-0x00000000001B0000-0x00000000002B0000-memory.dmp

Filesize
1024KB

Download
memory/748-68-0x000000001DF10000-0x000000001E0D4000-memory.dmp

Filesize
1.8MB

Download
memory/748-57-0x0000000000401574-mapping.dmp

Download
memory/748-58-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/748-67-0x000000001E7C0000-0x000000001EAC3000-memory.dmp

Filesize
3.0MB

Download
memory/748-66-0x0000000000401000-0x00000000004FD000-memory.dmp

Filesize
1008KB

Download
memory/748-65-0x0000000076D10000-0x0000000076EB9000-memory.dmp

Filesize
1.7MB

Download
memory/876-72-0x0000000000640000-0x0000000000666000-memory.dmp

Filesize
152KB

Download
memory/876-70-0x0000000000000000-mapping.dmp

Download
memory/876-73-0x00000000000B0000-0x00000000000D8000-memory.dmp

Filesize
160KB

Download
memory/876-74-0x0000000002130000-0x0000000002433000-memory.dmp

Filesize
3.0MB

Download
memory/876-75-0x00000000004F0000-0x000000000057F000-memory.dmp

Filesize
572KB

Download
memory/1200-69-0x0000000006E30000-0x0000000006F7F000-memory.dmp

Filesize
1.3MB

Download
memory/1200-76-0x00000000050F0000-0x000000000521E000-memory.dmp

Filesize
1.2MB

Download
memory/1260-71-0x0000000000000000-mapping.dmp

Download
memory/1656-61-0x0000000076F00000-0x0000000076FD6000-memory.dmp

Filesize
856KB

Download
memory/1656-60-0x0000000076EF0000-0x0000000077070000-memory.dmp

Filesize
1.5MB

Download
memory/1656-59-0x0000000076D10000-0x0000000076EB9000-memory.dmp

Filesize
1.7MB

Download
memory/1656-56-0x0000000075231000-0x0000000075233000-memory.dmp

Filesize
8KB

Download
memory/1656-54-0x00000000003D0000-0x00000000003E1000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads