guloader | e4d9fba1b0abefc577cb58b774b3f38892fe7ed7a57076f94354f510deafc332

General

Target

Comprobante de transferencia.pdf.exe
Size

48KB
MD5

fc0557257080e207819d005d257833f8
SHA1

5a7d76b52983a8babcfec637c0319a15c2dce22e
SHA256

72b08b2bc289e7665a1701f07f6e366898ceb61fa289007187fded38834267f3
SHA512

c036a1f635bf2adab66c2e29176cca3b1fde4f8319e1f09c562fef8aacf5ad99f61f8036ede90a10d86f6bf56eb67d36528780caa48f8ee8787b8a10e03eddd7

Score

10^/10

guloader downloader guloader

Malware Config

Extracted

Family

guloader

C2

https://drive.google.com/uc?export=download&id=185yfGKZexOdEd7mpzk2cg-0hQHnY6XWe

xor.base64

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Guloader Payload 2 IoCs

guloader

Processes:

resource	yara_rule
behavioral2/memory/2712-116-0x00000000029A0000-0x00000000029A7000-memory.dmp	family_guloader
behavioral2/memory/3508-119-0x0000000000F00000-0x0000000001100000-memory.dmp	family_guloader

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Comprobante de transferencia.pdf.exeRegAsm.exe

pid process

2712 Comprobante de transferencia.pdf.exe
3508 RegAsm.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Comprobante de transferencia.pdf.exe

description pid process target process

PID 2712 set thread context of 3508 2712 Comprobante de transferencia.pdf.exe RegAsm.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Comprobante de transferencia.pdf.exe

pid process

2712 Comprobante de transferencia.pdf.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Comprobante de transferencia.pdf.exe

pid process

2712 Comprobante de transferencia.pdf.exe

pid	process
2712	Comprobante de transferencia.pdf.exe
3508	RegAsm.exe

description	pid	process	target process
PID 2712 set thread context of 3508	2712	Comprobante de transferencia.pdf.exe	RegAsm.exe

pid	process
2712	Comprobante de transferencia.pdf.exe

pid	process
2712	Comprobante de transferencia.pdf.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Comprobante de transferencia.pdf.exe

description	pid	process	target process
PID 2712 wrote to memory of 3508	2712	Comprobante de transferencia.pdf.exe	RegAsm.exe
PID 2712 wrote to memory of 3508	2712	Comprobante de transferencia.pdf.exe	RegAsm.exe
PID 2712 wrote to memory of 3508	2712	Comprobante de transferencia.pdf.exe	RegAsm.exe
PID 2712 wrote to memory of 3508	2712	Comprobante de transferencia.pdf.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\Comprobante de transferencia.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Comprobante de transferencia.pdf.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Users\Admin\AppData\Local\Temp\Comprobante de transferencia.pdf.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3508

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2712-116-0x00000000029A0000-0x00000000029A7000-memory.dmp

Filesize
28KB

Download
memory/2712-117-0x00007FFBACF00000-0x00007FFBAD0DB000-memory.dmp

Filesize
1.9MB

Download
memory/2712-118-0x0000000077000000-0x000000007718E000-memory.dmp

Filesize
1.6MB

Download
memory/3508-119-0x0000000000F00000-0x0000000001100000-memory.dmp

Filesize
2.0MB

Download
memory/3508-120-0x00007FFBACF00000-0x00007FFBAD0DB000-memory.dmp

Filesize
1.9MB

Download
memory/3508-121-0x0000000077000000-0x000000007718E000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing