guloader | ba33c33e01b5f72eb0e0651f58de0641447b40301d8793965e70e67bf83447e8

General

Target

B2020006307357.PDF...exe
Size

52KB
MD5

42e026716bcf95406beca59b834a1432
SHA1

9474067350e0211faff4eb0c14dc2982897ee6f9
SHA256

1dd138afd050e4d29b20494c3bd607685295f2cd8217c1e6ddd9b47e54961f38
SHA512

01873ec441a283c55948052c4a835c7fd5246f695ed955239168dc583299c1bf58536f80d77e0a4c76e19ca04e51ef9ce927c806489bf1b122d0b6ad44d1df9b

Score

10^/10

guloader downloader guloader

Malware Config

Extracted

Family

guloader

C2

https://drive.google.com/uc?export=download&id=1nxID3cbZ3N3YCfZ5Mt-WYptrBK_9HFWH

xor.base64

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Guloader Payload 2 IoCs

guloader

Processes:

resource	yara_rule
behavioral2/memory/2056-120-0x00000000022C0000-0x00000000022C8000-memory.dmp	family_guloader
behavioral2/memory/3372-123-0x0000000000700000-0x00000000009F0000-memory.dmp	family_guloader

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

B2020006307357.PDF...exeRegAsm.exe

pid process

2056 B2020006307357.PDF...exe
3372 RegAsm.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

B2020006307357.PDF...exe

description pid process target process

PID 2056 set thread context of 3372 2056 B2020006307357.PDF...exe RegAsm.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

B2020006307357.PDF...exe

pid process

2056 B2020006307357.PDF...exe
2056 B2020006307357.PDF...exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

B2020006307357.PDF...exe

pid process

2056 B2020006307357.PDF...exe

pid	process
2056	B2020006307357.PDF...exe
3372	RegAsm.exe

description	pid	process	target process
PID 2056 set thread context of 3372	2056	B2020006307357.PDF...exe	RegAsm.exe

pid	process
2056	B2020006307357.PDF...exe
2056	B2020006307357.PDF...exe

pid	process
2056	B2020006307357.PDF...exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

B2020006307357.PDF...exe

description	pid	process	target process
PID 2056 wrote to memory of 3388	2056	B2020006307357.PDF...exe	RegAsm.exe
PID 2056 wrote to memory of 3388	2056	B2020006307357.PDF...exe	RegAsm.exe
PID 2056 wrote to memory of 3388	2056	B2020006307357.PDF...exe	RegAsm.exe
PID 2056 wrote to memory of 3372	2056	B2020006307357.PDF...exe	RegAsm.exe
PID 2056 wrote to memory of 3372	2056	B2020006307357.PDF...exe	RegAsm.exe
PID 2056 wrote to memory of 3372	2056	B2020006307357.PDF...exe	RegAsm.exe
PID 2056 wrote to memory of 3372	2056	B2020006307357.PDF...exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\B2020006307357.PDF...exe
"C:\Users\Admin\AppData\Local\Temp\B2020006307357.PDF...exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2056

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Users\Admin\AppData\Local\Temp\B2020006307357.PDF...exe"
2⤵
PID:3388

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Users\Admin\AppData\Local\Temp\B2020006307357.PDF...exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2056-120-0x00000000022C0000-0x00000000022C8000-memory.dmp

Filesize
32KB

Download
memory/2056-121-0x00007FF9C9E30000-0x00007FF9CA00B000-memory.dmp

Filesize
1.9MB

Download
memory/2056-122-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/3372-123-0x0000000000700000-0x00000000009F0000-memory.dmp

Filesize
2.9MB

Download
memory/3372-124-0x00007FF9C9E30000-0x00007FF9CA00B000-memory.dmp

Filesize
1.9MB

Download
memory/3372-125-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing