guloader | 5e7792550edc1085dfffcf3dad7dbc31e164c7149abdce5bbaae0715106a2e1c

General

Target

5e7792550edc1085dfffcf3dad7dbc31e164c7149abdce5bbaae0715106a2e1c.exe
Size

80KB
MD5

6245a28f7c93c175879998bf0312809d
SHA1

aa00c75bcb92bb3286e6e8b10c4d40135db3a2a6
SHA256

5e7792550edc1085dfffcf3dad7dbc31e164c7149abdce5bbaae0715106a2e1c
SHA512

0f1eaad3b05a43cc43272d96847882c3eddae3b953b10f875bd67d550b78cbc6eb6cc89e7f000f0b9ec88c78b13e30fc79b1f6645b2bc23d28e8f8084bb589d4

Score

10^/10

guloader downloader guloader persistence

Malware Config

Extracted

Family

guloader

C2

https://drive.google.com/uc?export=download&id=1Q0Ltq2Kw5sxwS2JWRYNfsyrv58mrj4ks

xor.base64

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Guloader Payload 2 IoCs

guloader

Processes:

resource	yara_rule
behavioral1/memory/1276-57-0x00000000001D0000-0x00000000001DA000-memory.dmp	family_guloader
behavioral1/memory/720-65-0x0000000000090000-0x0000000000190000-memory.dmp	family_guloader

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegAsm.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\PAYABLYBISMUT = "C:\\Users\\Admin\\Spdbarnsplej\\rumperfje.exe"	RegAsm.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

5e7792550edc1085dfffcf3dad7dbc31e164c7149abdce5bbaae0715106a2e1c.exeRegAsm.exe

pid process

1276 5e7792550edc1085dfffcf3dad7dbc31e164c7149abdce5bbaae0715106a2e1c.exe
720 RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

5e7792550edc1085dfffcf3dad7dbc31e164c7149abdce5bbaae0715106a2e1c.exe

description	pid	process	target process
PID 1276 set thread context of 720	1276	5e7792550edc1085dfffcf3dad7dbc31e164c7149abdce5bbaae0715106a2e1c.exe	RegAsm.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

5e7792550edc1085dfffcf3dad7dbc31e164c7149abdce5bbaae0715106a2e1c.exe

pid	process
1276	5e7792550edc1085dfffcf3dad7dbc31e164c7149abdce5bbaae0715106a2e1c.exe
1276	5e7792550edc1085dfffcf3dad7dbc31e164c7149abdce5bbaae0715106a2e1c.exe
1276	5e7792550edc1085dfffcf3dad7dbc31e164c7149abdce5bbaae0715106a2e1c.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

5e7792550edc1085dfffcf3dad7dbc31e164c7149abdce5bbaae0715106a2e1c.exe

pid process

1276 5e7792550edc1085dfffcf3dad7dbc31e164c7149abdce5bbaae0715106a2e1c.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

5e7792550edc1085dfffcf3dad7dbc31e164c7149abdce5bbaae0715106a2e1c.exe

description	pid	process	target process
PID 1276 wrote to memory of 1360	1276	5e7792550edc1085dfffcf3dad7dbc31e164c7149abdce5bbaae0715106a2e1c.exe	RegAsm.exe
PID 1276 wrote to memory of 1360	1276	5e7792550edc1085dfffcf3dad7dbc31e164c7149abdce5bbaae0715106a2e1c.exe	RegAsm.exe
PID 1276 wrote to memory of 1360	1276	5e7792550edc1085dfffcf3dad7dbc31e164c7149abdce5bbaae0715106a2e1c.exe	RegAsm.exe
PID 1276 wrote to memory of 1360	1276	5e7792550edc1085dfffcf3dad7dbc31e164c7149abdce5bbaae0715106a2e1c.exe	RegAsm.exe
PID 1276 wrote to memory of 1360	1276	5e7792550edc1085dfffcf3dad7dbc31e164c7149abdce5bbaae0715106a2e1c.exe	RegAsm.exe
PID 1276 wrote to memory of 1360	1276	5e7792550edc1085dfffcf3dad7dbc31e164c7149abdce5bbaae0715106a2e1c.exe	RegAsm.exe
PID 1276 wrote to memory of 1360	1276	5e7792550edc1085dfffcf3dad7dbc31e164c7149abdce5bbaae0715106a2e1c.exe	RegAsm.exe
PID 1276 wrote to memory of 760	1276	5e7792550edc1085dfffcf3dad7dbc31e164c7149abdce5bbaae0715106a2e1c.exe	RegAsm.exe
PID 1276 wrote to memory of 760	1276	5e7792550edc1085dfffcf3dad7dbc31e164c7149abdce5bbaae0715106a2e1c.exe	RegAsm.exe
PID 1276 wrote to memory of 760	1276	5e7792550edc1085dfffcf3dad7dbc31e164c7149abdce5bbaae0715106a2e1c.exe	RegAsm.exe
PID 1276 wrote to memory of 760	1276	5e7792550edc1085dfffcf3dad7dbc31e164c7149abdce5bbaae0715106a2e1c.exe	RegAsm.exe
PID 1276 wrote to memory of 760	1276	5e7792550edc1085dfffcf3dad7dbc31e164c7149abdce5bbaae0715106a2e1c.exe	RegAsm.exe
PID 1276 wrote to memory of 760	1276	5e7792550edc1085dfffcf3dad7dbc31e164c7149abdce5bbaae0715106a2e1c.exe	RegAsm.exe
PID 1276 wrote to memory of 760	1276	5e7792550edc1085dfffcf3dad7dbc31e164c7149abdce5bbaae0715106a2e1c.exe	RegAsm.exe
PID 1276 wrote to memory of 720	1276	5e7792550edc1085dfffcf3dad7dbc31e164c7149abdce5bbaae0715106a2e1c.exe	RegAsm.exe
PID 1276 wrote to memory of 720	1276	5e7792550edc1085dfffcf3dad7dbc31e164c7149abdce5bbaae0715106a2e1c.exe	RegAsm.exe
PID 1276 wrote to memory of 720	1276	5e7792550edc1085dfffcf3dad7dbc31e164c7149abdce5bbaae0715106a2e1c.exe	RegAsm.exe
PID 1276 wrote to memory of 720	1276	5e7792550edc1085dfffcf3dad7dbc31e164c7149abdce5bbaae0715106a2e1c.exe	RegAsm.exe
PID 1276 wrote to memory of 720	1276	5e7792550edc1085dfffcf3dad7dbc31e164c7149abdce5bbaae0715106a2e1c.exe	RegAsm.exe
PID 1276 wrote to memory of 720	1276	5e7792550edc1085dfffcf3dad7dbc31e164c7149abdce5bbaae0715106a2e1c.exe	RegAsm.exe
PID 1276 wrote to memory of 720	1276	5e7792550edc1085dfffcf3dad7dbc31e164c7149abdce5bbaae0715106a2e1c.exe	RegAsm.exe
PID 1276 wrote to memory of 720	1276	5e7792550edc1085dfffcf3dad7dbc31e164c7149abdce5bbaae0715106a2e1c.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\5e7792550edc1085dfffcf3dad7dbc31e164c7149abdce5bbaae0715106a2e1c.exe
"C:\Users\Admin\AppData\Local\Temp\5e7792550edc1085dfffcf3dad7dbc31e164c7149abdce5bbaae0715106a2e1c.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Users\Admin\AppData\Local\Temp\5e7792550edc1085dfffcf3dad7dbc31e164c7149abdce5bbaae0715106a2e1c.exe"
2⤵
PID:1360

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Users\Admin\AppData\Local\Temp\5e7792550edc1085dfffcf3dad7dbc31e164c7149abdce5bbaae0715106a2e1c.exe"
2⤵
PID:760

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Users\Admin\AppData\Local\Temp\5e7792550edc1085dfffcf3dad7dbc31e164c7149abdce5bbaae0715106a2e1c.exe"
2⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/720-65-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/720-66-0x0000000076D50000-0x0000000076EF9000-memory.dmp

Filesize
1.7MB

Download
memory/720-67-0x0000000076F30000-0x00000000770B0000-memory.dmp

Filesize
1.5MB

Download
memory/1276-57-0x00000000001D0000-0x00000000001DA000-memory.dmp

Filesize
40KB

Download
memory/1276-58-0x0000000076D50000-0x0000000076EF9000-memory.dmp

Filesize
1.7MB

Download
memory/1276-59-0x0000000076F30000-0x00000000770B0000-memory.dmp

Filesize
1.5MB

Download
memory/1276-61-0x00000000756C1000-0x00000000756C3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads