Overview

overview

10

Static

static

10

Invoice.exe

windows7_x64

10

Invoice.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    INV0ICE C0PY.zip.7z

  • Size

    27KB

  • Sample

    220131-cecbjsddgp

  • MD5

    51d3bd691b4beb8b483b08933d6f533e

  • SHA1

    63c1695b4aeb4effb39b31698d33518e9e3aa98a

  • SHA256

    ed12457d2e41eddbf1fa49c3edf0e3e54f4c737a486055355f99e3136a652048

  • SHA512

    99424f94a08fbd7e438d4e23bfb73a3b4c992ef4dc7a06c33082d9301f5009cc333ff70f7b88821359b994cacf9b9012d390f9b71fb87d72e424b4a47ca47a15

Score
10/10
guloaderdownloaderguloaderpersistence

Malware Config

Extracted

Family

guloader

C2

https://drive.google.com/uc?export=download&id=1YdzMc5lNekF42GRT6sm0BvWK7b2zDn1f

xor.base64

Targets

    • Target

      Invoice.exe

    • Size

      60KB

    • MD5

      02305e9d37d47426ee680cf76f11e2bd

    • SHA1

      ec6e579799848ca15bc88b28e3d8098a1385f4a3

    • SHA256

      c4237eedbf270996457b9c8c5722d6fbfcaf1446c0c7d73aea14317fabba85c1

    • SHA512

      ded4f29bd3131766c8c2a9f14f6989762410c56ea4cb90608585647c727dd5988c608b3e4702223bd309b9082830a54173eb6e6f4455cd38d3cd1bf1171930df

    Score
    10/10
    guloaderdownloaderguloaderpersistence

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Guloader Payload

      guloader

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks