guloader | c87290bb28696eddacaadc0f01805f841bda964d55efa9c39d0a06f1d31ede3b | Triage

Sharing

General

Target

c87290bb28696eddacaadc0f01805f841bda964d55efa9c39d0a06f1d31ede3b
Size

84KB
Sample

220131-18hmesdcd9
MD5

6f771a54cdb6f1cc2130310bc40f215f
SHA1

f860c1449917fb1e5418a4862bbb28b79ec29787
SHA256

c87290bb28696eddacaadc0f01805f841bda964d55efa9c39d0a06f1d31ede3b
SHA512

d49d0db7bc6fa784e517d5d457b4516faa2d2bc36e336827c1a10c251daeb725a9bc1edc815d58febb0bb3068bf68086700dbfd0376aeb9b08041214cc15eb0f

Score

10^/10

guloader downloader persistence

Malware Config

Extracted

Family

guloader

C2

https://onedrive.live.com/download?cid=4C3F5C65A99DA195&resid=4C3F5C65A99DA195%21250&authkey=AC-XqzwfVaSlHmQ

xor.base64

Targets

- Target
  
  c87290bb28696eddacaadc0f01805f841bda964d55efa9c39d0a06f1d31ede3b
- Size
  
  84KB
- MD5
  
  6f771a54cdb6f1cc2130310bc40f215f
- SHA1
  
  f860c1449917fb1e5418a4862bbb28b79ec29787
- SHA256
  
  c87290bb28696eddacaadc0f01805f841bda964d55efa9c39d0a06f1d31ede3b
- SHA512
  
  d49d0db7bc6fa784e517d5d457b4516faa2d2bc36e336827c1a10c251daeb725a9bc1edc815d58febb0bb3068bf68086700dbfd0376aeb9b08041214cc15eb0f
Score

10^/10

guloader downloader persistence
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Sets service image path in registry
  persistence
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

guloaderdownloader

behavioral2

guloaderdownloaderpersistence