guloader | d9465ad29caa66ba9d539f9b59a4d058147bf13d284e6289fc7b6ef3b9a4bb1b

General

Target

REMITTAN.exe
Size

104KB
MD5

a5227202babf335d14eec4a0a497f62c
SHA1

b1ccb23abcaf2271167b9e7534e40512d8a36723
SHA256

e761de2471fe1811d6a545231c1aa3d6b8065f0157af871808d2443c8c61dd09
SHA512

b46ed3cbc786d997153be17ed7e1df5f08ed5525a09d7b824ff94dd4cca20c98ce7d015fb09ff2bca18bfeff81c3502fb4d6ba18714e5cc76b34e05cc98a16c1

Score

10^/10

guloader downloader guloader persistence

Malware Config

Extracted

Family

guloader

C2

https://twadatabase.com/uj/newsamcav_HgMSY69.bin

xor.base64

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Guloader Payload 3 IoCs

guloader

Processes:

resource	yara_rule
behavioral2/memory/4576-132-0x0000000002080000-0x000000000208D000-memory.dmp	family_guloader
behavioral2/memory/3052-134-0x0000000000000000-mapping.dmp	family_guloader
behavioral2/memory/3052-136-0x0000000001150000-0x0000000001250000-memory.dmp	family_guloader

Checks QEMU agent state file 2 TTPs 2 IoCs

Checks state file used by QEMU agent, possibly to detect virtualization.

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

REMITTAN.exeRegAsm.exe

description	ioc	process
File opened (read-only)	C:\ProgramData\qemu-ga\qga.state	REMITTAN.exe
File opened (read-only)	C:\ProgramData\qemu-ga\qga.state	RegAsm.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegAsm.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Startup key = "C:\\Users\\Admin\\subfolder1\\filename1.exe"	RegAsm.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

REMITTAN.exeRegAsm.exe

pid process

4576 REMITTAN.exe
3052 RegAsm.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

REMITTAN.exe

description pid process target process

PID 4576 set thread context of 3052 4576 REMITTAN.exe RegAsm.exe

pid	process
4576	REMITTAN.exe
3052	RegAsm.exe

description	pid	process	target process
PID 4576 set thread context of 3052	4576	REMITTAN.exe	RegAsm.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

RegAsm.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	RegAsm.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

REMITTAN.exe

pid process

4576 REMITTAN.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

REMITTAN.exe

pid process

4576 REMITTAN.exe

pid	process
4576	REMITTAN.exe

pid	process
4576	REMITTAN.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

REMITTAN.exe

description	pid	process	target process
PID 4576 wrote to memory of 3052	4576	REMITTAN.exe	RegAsm.exe
PID 4576 wrote to memory of 3052	4576	REMITTAN.exe	RegAsm.exe
PID 4576 wrote to memory of 3052	4576	REMITTAN.exe	RegAsm.exe
PID 4576 wrote to memory of 3052	4576	REMITTAN.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\REMITTAN.exe
"C:\Users\Admin\AppData\Local\Temp\REMITTAN.exe"
1⤵
- Checks QEMU agent state file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4576

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Users\Admin\AppData\Local\Temp\REMITTAN.exe"
2⤵
- Checks QEMU agent state file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
PID:3052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

Query Registry

1

T1012

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3052-134-0x0000000000000000-mapping.dmp

Download
memory/3052-136-0x0000000001150000-0x0000000001250000-memory.dmp

Filesize
1024KB

Download
memory/3052-137-0x00007FF8D8530000-0x00007FF8D8725000-memory.dmp

Filesize
2.0MB

Download
memory/3052-138-0x0000000076F40000-0x00000000770E3000-memory.dmp

Filesize
1.6MB

Download
memory/3052-139-0x0000000076F40000-0x00000000770E3000-memory.dmp

Filesize
1.6MB

Download
memory/4576-132-0x0000000002080000-0x000000000208D000-memory.dmp

Filesize
52KB

Download
memory/4576-133-0x00007FF8D8530000-0x00007FF8D8725000-memory.dmp

Filesize
2.0MB

Download
memory/4576-135-0x0000000076F40000-0x00000000770E3000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads