guloader | be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc

General

Target

be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe
Size

64KB
MD5

b2a52460d7ddcf0d1eb6cb98171309da
SHA1

fe2ae9c1d227e045351d4c8e64089cade6ca2f48
SHA256

be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc
SHA512

d332b3cefa05f13338ebfdf5d2f87de593d82371ad950d815a8b5e4c41f06fb8a8722ab9da77286c7d6da82effc2faa4b7de246943f86f39e91ce3c926deb8cd

Score

10^/10

guloader webmonitor backdoor downloader infostealer persistence rat suricata upx

Malware Config

Extracted

Family

guloader

C2

https://drive.google.com/uc?export=download&id=1YqiJ4rfI-Gtvq2s00N_eqstSWsnL_fgd

Extracted

Family

webmonitor

C2

olaviqs.wm01.to:443

Attributes

config_key
7GfpikpHRvmQe3t81PSe02B3qwlPiFPx
private_key
JklcEIRIO
url_path
/recv5.php

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor Payload 4 IoCs

resource	yara_rule
behavioral2/memory/724-146-0x0000000000400000-0x000000000055D000-memory.dmp	family_webmonitor
behavioral2/memory/724-147-0x0000000000400000-0x000000000055D000-memory.dmp	family_webmonitor
behavioral2/memory/724-148-0x000000001FAA0000-0x0000000020AA0000-memory.dmp	family_webmonitor
behavioral2/memory/724-152-0x0000000000400000-0x000000000055D000-memory.dmp	family_webmonitor

suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup
suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup
suricata

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/724-142-0x0000000000400000-0x000000000055D000-memory.dmp	upx
behavioral2/memory/724-144-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/724-146-0x0000000000400000-0x000000000055D000-memory.dmp	upx
behavioral2/memory/724-147-0x0000000000400000-0x000000000055D000-memory.dmp	upx
behavioral2/memory/724-152-0x0000000000400000-0x000000000055D000-memory.dmp	upx

Unexpected DNS network traffic destination 31 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	185.243.215.214
Destination IP	1.2.4.8
Destination IP	1.2.4.8
Destination IP	185.243.215.214
Destination IP	1.2.4.8
Destination IP	114.114.114.114
Destination IP	1.2.4.8
Destination IP	1.2.4.8
Destination IP	114.114.114.114
Destination IP	185.243.215.214
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	1.2.4.8
Destination IP	185.243.215.214
Destination IP	185.243.215.214
Destination IP	114.114.114.114
Destination IP	185.243.215.214
Destination IP	1.2.4.8
Destination IP	114.114.114.114
Destination IP	1.2.4.8
Destination IP	114.114.114.114
Destination IP	185.243.215.214
Destination IP	185.243.215.214
Destination IP	1.2.4.8
Destination IP	1.2.4.8
Destination IP	185.243.215.214
Destination IP	185.243.215.214
Destination IP	185.243.215.214

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WebMonitor-8211 = "C:\\Users\\Admin\\AppData\\Roaming\\WebMonitor-8211.exe"	be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
4884	be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe
724	be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe
724	be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4884 set thread context of 724	4884	be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe	83

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4884	be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
724	be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	724	be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe
Token: SeCreatePagefilePrivilege	724	be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4884	be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 724	4884	be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe	83
PID 4884 wrote to memory of 724	4884	be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe	83
PID 4884 wrote to memory of 724	4884	be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe	83
PID 4884 wrote to memory of 724	4884	be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe	83

C:\Users\Admin\AppData\Local\Temp\be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe
"C:\Users\Admin\AppData\Local\Temp\be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Users\Admin\AppData\Local\Temp\be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe
  "C:\Users\Admin\AppData\Local\Temp\be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  PID:724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Web Service

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/724-147-0x0000000000400000-0x000000000055D000-memory.dmp

Filesize
1.4MB

Download
memory/724-153-0x000000001FAA0000-0x0000000020AA0000-memory.dmp

Filesize
16.0MB

Download
memory/724-141-0x00000000771C0000-0x0000000077363000-memory.dmp

Filesize
1.6MB

Download
memory/724-136-0x0000000000401000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/724-142-0x0000000000400000-0x000000000055D000-memory.dmp

Filesize
1.4MB

Download
memory/724-138-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/724-140-0x00007FF841690000-0x00007FF841885000-memory.dmp

Filesize
2.0MB

Download
memory/724-152-0x0000000000400000-0x000000000055D000-memory.dmp

Filesize
1.4MB

Download
memory/724-151-0x00000000771C0000-0x0000000077363000-memory.dmp

Filesize
1.6MB

Download
memory/724-134-0x0000000000400000-0x000000000055D000-memory.dmp

Filesize
1.4MB

Download
memory/724-146-0x0000000000400000-0x000000000055D000-memory.dmp

Filesize
1.4MB

Download
memory/724-144-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/724-148-0x000000001FAA0000-0x0000000020AA0000-memory.dmp

Filesize
16.0MB

Download
memory/724-149-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/724-150-0x00007FF841690000-0x00007FF841885000-memory.dmp

Filesize
2.0MB

Download
memory/4884-133-0x0000000003070000-0x0000000003078000-memory.dmp

Filesize
32KB

Download
memory/4884-139-0x00000000771C0000-0x0000000077363000-memory.dmp

Filesize
1.6MB

Download
memory/4884-137-0x00007FF841690000-0x00007FF841885000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads