guloader | e8f8cc178425c55c03c76d0a2a11918371bba8f2d6f400752ca1cea5e663da2e | Triage

Sharing

General

Target

e8f8cc178425c55c03c76d0a2a11918371bba8f2d6f400752ca1cea5e663da2e
Size

136KB
Sample

220131-167hrsdcc4
MD5

913fc7a8a80e209997ad142ffce2d619
SHA1

707bad900cc22eaf7ad3d4425ec657f5da05f405
SHA256

e8f8cc178425c55c03c76d0a2a11918371bba8f2d6f400752ca1cea5e663da2e
SHA512

96b03b2805c7493931ffc551a04e9a3ddbd413d171cd8b1f6e9ae3d2697e034d4835ceef23d84cd9520f4c3f4bd48178c1a1beb299394d86b52f2c072034df04

Score

10^/10

guloader downloader persistence

Malware Config

Extracted

Family

guloader

C2

https://drive.google.com/uc?export=download&id=1dtlMCyozUPBepc-AtEdirGENZBpWesAi

xor.base64

Targets

- Target
  
  e8f8cc178425c55c03c76d0a2a11918371bba8f2d6f400752ca1cea5e663da2e
- Size
  
  136KB
- MD5
  
  913fc7a8a80e209997ad142ffce2d619
- SHA1
  
  707bad900cc22eaf7ad3d4425ec657f5da05f405
- SHA256
  
  e8f8cc178425c55c03c76d0a2a11918371bba8f2d6f400752ca1cea5e663da2e
- SHA512
  
  96b03b2805c7493931ffc551a04e9a3ddbd413d171cd8b1f6e9ae3d2697e034d4835ceef23d84cd9520f4c3f4bd48178c1a1beb299394d86b52f2c072034df04
Score

10^/10

guloader downloader persistence
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Sets service image path in registry
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

guloaderdownloader

behavioral2

guloaderdownloaderpersistence