guloader | 4b6908ad09c817290c3a37fb078b6667e2479aa32264946e724e8cd39d7de250 | Triage

Sharing

General

Target

4b6908ad09c817290c3a37fb078b6667e2479aa32264946e724e8cd39d7de250
Size

100KB
Sample

221125-lts3aagh59
MD5

6dff5a79a9bc46bf3267a234abee1416
SHA1

9f1812f43c31156297c297f637a0e5dc51d8e727
SHA256

4b6908ad09c817290c3a37fb078b6667e2479aa32264946e724e8cd39d7de250
SHA512

55866786a0c0bc68ac23604e59ba7e73570e58690ceebee3133cbd2ae4aa9d5203c260c302a96d2abf6200c17b59bcf0fdd09c7c708649c633c81beefabe2f60
SSDEEP

768:G729FUTWbLYqHmHF6QwYXPSdDjYA4vH3d7/+dKZo:TnUTWgplsuKdDjpCHt7/+Yo

Score

10^/10

guloader downloader persistence

Malware Config

Extracted

Family

guloader

C2

https://drive.google.com/uc?export=download&id=1LcWyjKOhCqF8z_TZw5yPPFDSHn9QcgVP

http://marckasgfdvc.ug/Host12_encrypted_452A510.bin

xor.base64

Targets

- Target
  
  4b6908ad09c817290c3a37fb078b6667e2479aa32264946e724e8cd39d7de250
- Size
  
  100KB
- MD5
  
  6dff5a79a9bc46bf3267a234abee1416
- SHA1
  
  9f1812f43c31156297c297f637a0e5dc51d8e727
- SHA256
  
  4b6908ad09c817290c3a37fb078b6667e2479aa32264946e724e8cd39d7de250
- SHA512
  
  55866786a0c0bc68ac23604e59ba7e73570e58690ceebee3133cbd2ae4aa9d5203c260c302a96d2abf6200c17b59bcf0fdd09c7c708649c633c81beefabe2f60
- SSDEEP
  
  768:G729FUTWbLYqHmHF6QwYXPSdDjYA4vH3d7/+dKZo:TnUTWgplsuKdDjpCHt7/+Yo
Score

10^/10

guloader downloader persistence
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

guloaderdownloaderpersistence

behavioral2

guloaderdownloaderpersistence