guloader | 935f36c0a213f780fec1e5a463e72246843b68583fddc80940bf512c425e69ae

Analysis

max time kernel
101s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2022 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

935f36c0a213f780fec1e5a463e72246843b68583fddc80940bf512c425e69ae.exe
Size

60KB
MD5

d54c3346dcbbed15084c96b9c569dc0e
SHA1

f58bab915d9d33a26676750c2ae24e2ea69050d0
SHA256

935f36c0a213f780fec1e5a463e72246843b68583fddc80940bf512c425e69ae
SHA512

2cf3588e64ec82cf06b5a2f4e3a79a9af2637da9aec2445436cc25a7cc86cae53edf622453433471e651862dc3b80dc88a0031932b854bf5a182b23fa68b5ba0

Score

10^/10

guloader downloader guloader

Malware Config

Extracted

Family

guloader

https://drive.google.com/uc?export=download&id=1N6W2WLdOxmRRSOjeu1oRU1aKDJOur2pv

xor.base64

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Guloader payload 2 IoCs

guloader

Processes:

resource	yara_rule
behavioral2/memory/3612-132-0x0000000000000000-mapping.dmp	family_guloader
behavioral2/memory/3612-136-0x0000000000D00000-0x0000000000E00000-memory.dmp	family_guloader

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

935f36c0a213f780fec1e5a463e72246843b68583fddc80940bf512c425e69ae.exeRegAsm.exe

pid process

2036 935f36c0a213f780fec1e5a463e72246843b68583fddc80940bf512c425e69ae.exe
3612 RegAsm.exe

pid	process
2036	935f36c0a213f780fec1e5a463e72246843b68583fddc80940bf512c425e69ae.exe
3612	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

935f36c0a213f780fec1e5a463e72246843b68583fddc80940bf512c425e69ae.exe

description	pid	process	target process
PID 2036 set thread context of 3612	2036	935f36c0a213f780fec1e5a463e72246843b68583fddc80940bf512c425e69ae.exe	RegAsm.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

935f36c0a213f780fec1e5a463e72246843b68583fddc80940bf512c425e69ae.exe

pid process

2036 935f36c0a213f780fec1e5a463e72246843b68583fddc80940bf512c425e69ae.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

935f36c0a213f780fec1e5a463e72246843b68583fddc80940bf512c425e69ae.exe

pid process

2036 935f36c0a213f780fec1e5a463e72246843b68583fddc80940bf512c425e69ae.exe

pid	process
2036	935f36c0a213f780fec1e5a463e72246843b68583fddc80940bf512c425e69ae.exe

pid	process
2036	935f36c0a213f780fec1e5a463e72246843b68583fddc80940bf512c425e69ae.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

935f36c0a213f780fec1e5a463e72246843b68583fddc80940bf512c425e69ae.exe

description	pid	process	target process
PID 2036 wrote to memory of 3612	2036	935f36c0a213f780fec1e5a463e72246843b68583fddc80940bf512c425e69ae.exe	RegAsm.exe
PID 2036 wrote to memory of 3612	2036	935f36c0a213f780fec1e5a463e72246843b68583fddc80940bf512c425e69ae.exe	RegAsm.exe
PID 2036 wrote to memory of 3612	2036	935f36c0a213f780fec1e5a463e72246843b68583fddc80940bf512c425e69ae.exe	RegAsm.exe
PID 2036 wrote to memory of 3612	2036	935f36c0a213f780fec1e5a463e72246843b68583fddc80940bf512c425e69ae.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\935f36c0a213f780fec1e5a463e72246843b68583fddc80940bf512c425e69ae.exe
"C:\Users\Admin\AppData\Local\Temp\935f36c0a213f780fec1e5a463e72246843b68583fddc80940bf512c425e69ae.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Users\Admin\AppData\Local\Temp\935f36c0a213f780fec1e5a463e72246843b68583fddc80940bf512c425e69ae.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3612

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2036-133-0x0000000002240000-0x0000000002249000-memory.dmp

Filesize
36KB

Download
memory/2036-134-0x00007FFAA40B0000-0x00007FFAA42A5000-memory.dmp

Filesize
2.0MB

Download
memory/2036-135-0x00000000771F0000-0x0000000077393000-memory.dmp

Filesize
1.6MB

Download
memory/2036-140-0x0000000002240000-0x0000000002249000-memory.dmp

Filesize
36KB

Download
memory/2036-141-0x00000000771F0000-0x0000000077393000-memory.dmp

Filesize
1.6MB

Download
memory/3612-132-0x0000000000000000-mapping.dmp

Download
memory/3612-136-0x0000000000D00000-0x0000000000E00000-memory.dmp

Filesize
1024KB

Download
memory/3612-137-0x00007FFAA40B0000-0x00007FFAA42A5000-memory.dmp

Filesize
2.0MB

Download
memory/3612-138-0x00000000771F0000-0x0000000077393000-memory.dmp

Filesize
1.6MB

Download
memory/3612-139-0x00000000771F0000-0x0000000077393000-memory.dmp

Filesize
1.6MB

Download