guloader | be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc

General

Target

be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe
Size

64KB
MD5

b2a52460d7ddcf0d1eb6cb98171309da
SHA1

fe2ae9c1d227e045351d4c8e64089cade6ca2f48
SHA256

be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc
SHA512

d332b3cefa05f13338ebfdf5d2f87de593d82371ad950d815a8b5e4c41f06fb8a8722ab9da77286c7d6da82effc2faa4b7de246943f86f39e91ce3c926deb8cd

Score

10^/10

guloader webmonitor backdoor downloader infostealer rat upx

Malware Config

Extracted

Family

guloader

C2

https://drive.google.com/uc?export=download&id=1YqiJ4rfI-Gtvq2s00N_eqstSWsnL_fgd

Extracted

Family

webmonitor

C2

olaviqs.wm01.to:443

Attributes

config_key
7GfpikpHRvmQe3t81PSe02B3qwlPiFPx
private_key
JklcEIRIO
url_path
/recv5.php

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1380-74-0x0000000000400000-0x0000000000553000-memory.dmp	family_webmonitor

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1380-69-0x0000000000400000-0x0000000000553000-memory.dmp	upx
behavioral1/memory/1380-71-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/1380-74-0x0000000000400000-0x0000000000553000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exebe684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe

pid	process
1376	be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe
1380	be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe
1380	be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe

description	pid	process	target process
PID 1376 set thread context of 1380	1376	be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe	be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1104 1380 WerFault.exe be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe

pid process

1376 be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe

pid process

1376 be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe

pid	pid_target	process	target process
1104	1380	WerFault.exe	be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exebe684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe

description	pid	process	target process
PID 1376 wrote to memory of 1380	1376	be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe	be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe
PID 1376 wrote to memory of 1380	1376	be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe	be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe
PID 1376 wrote to memory of 1380	1376	be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe	be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe
PID 1376 wrote to memory of 1380	1376	be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe	be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe
PID 1376 wrote to memory of 1380	1376	be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe	be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe
PID 1380 wrote to memory of 1104	1380	be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe	WerFault.exe
PID 1380 wrote to memory of 1104	1380	be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe	WerFault.exe
PID 1380 wrote to memory of 1104	1380	be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe	WerFault.exe
PID 1380 wrote to memory of 1104	1380	be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe
"C:\Users\Admin\AppData\Local\Temp\be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Users\Admin\AppData\Local\Temp\be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe
  "C:\Users\Admin\AppData\Local\Temp\be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of WriteProcessMemory
  PID:1380
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 1380
    3⤵
    - Program crash
    PID:1104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1104-73-0x0000000000000000-mapping.dmp

Download
memory/1376-64-0x00000000778F0000-0x0000000077A70000-memory.dmp

Filesize
1.5MB

Download
memory/1376-59-0x00000000003C0000-0x00000000003C8000-memory.dmp

Filesize
32KB

Download
memory/1376-61-0x0000000077710000-0x00000000778B9000-memory.dmp

Filesize
1.7MB

Download
memory/1376-57-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/1380-66-0x00000000001B0000-0x00000000002B0000-memory.dmp

Filesize
1024KB

Download
memory/1380-60-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/1380-67-0x0000000077710000-0x00000000778B9000-memory.dmp

Filesize
1.7MB

Download
memory/1380-68-0x00000000778F0000-0x0000000077A70000-memory.dmp

Filesize
1.5MB

Download
memory/1380-69-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/1380-71-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1380-58-0x00000000004012A0-mapping.dmp

Download
memory/1380-74-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/1380-75-0x00000000001B0000-0x00000000002B0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads