guloader | e97e14f57e6f9ad987e4b5079b7ba8a387115b89784958d40d1f65d79d027315 | Triage

Sharing

General

Target

e97e14f57e6f9ad987e4b5079b7ba8a387115b89784958d40d1f65d79d027315
Size

84KB
Sample

220131-165n6sdcc3
MD5

92345545d4c4826d147940ceb326d0d2
SHA1

8e04adf5606faa643028e75a5d9adab400ec31d5
SHA256

e97e14f57e6f9ad987e4b5079b7ba8a387115b89784958d40d1f65d79d027315
SHA512

469f80d61c81292f6be1931ae15d24beaf1562019a44050a1cb3eab82343cccd21ee3f2d0f2d19adf8e66b3c18536150b9f1bc9d1fd5e6d32a525dc013f23fa8

Score

10^/10

guloader downloader persistence

Malware Config

Extracted

Family

guloader

C2

https://onedrive.live.com/download?cid=4C3F5C65A99DA195&resid=4C3F5C65A99DA195%21251&authkey=AJfIELIxPkc02ok

xor.base64

Targets

- Target
  
  e97e14f57e6f9ad987e4b5079b7ba8a387115b89784958d40d1f65d79d027315
- Size
  
  84KB
- MD5
  
  92345545d4c4826d147940ceb326d0d2
- SHA1
  
  8e04adf5606faa643028e75a5d9adab400ec31d5
- SHA256
  
  e97e14f57e6f9ad987e4b5079b7ba8a387115b89784958d40d1f65d79d027315
- SHA512
  
  469f80d61c81292f6be1931ae15d24beaf1562019a44050a1cb3eab82343cccd21ee3f2d0f2d19adf8e66b3c18536150b9f1bc9d1fd5e6d32a525dc013f23fa8
Score

10^/10

guloader downloader persistence
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Sets service image path in registry
  persistence
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

guloaderdownloader

behavioral2

guloaderdownloaderpersistence