guloader | 097eb0cafefed7ddcab95345b850b7f8fa2ba518068275225d9b6a313e1f3491 | Triage

Submit
Reports

Overview

overview

Static

static

skivesvamps.vbs

windows7-x64

skivesvamps.vbs

windows10-2004-x64

Sharing

General

Target

skivesvamps.vbs
Size

193KB
Sample

230114-jcyv4acc82
MD5

7b458417e456edfb8816b9f063dd7f4a
SHA1

c42d1ff212085b0bd1a150b1e4e0cca2d7cf0dfb
SHA256

097eb0cafefed7ddcab95345b850b7f8fa2ba518068275225d9b6a313e1f3491
SHA512

da58b88ee2a7af27061808331f9fd2d14bf8cb6cc94099f7b7effecfd376e7d6a577d475ac04b0c4ce38417a8110daa9d7e63851da1223d343b4c6701e51782b
SSDEEP

6144:9vsgtPU635A3VxHwQA4hCLx4kjjrPEZp95g+Z/TugoVD9EwM8YmhCXo+v9kaRKZv:B9v35ElxXhCLxdPP8/6

Score

10^/10

guloader collection downloader persistence

Static task

static1

Behavioral task

behavioral1

Sample

skivesvamps.vbs

Resource

win7-20221111-en

guloader collection downloader persistence

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

skivesvamps.vbs

Resource

win10v2004-20220901-en

guloader downloader persistence

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Targets

- Target
  
  skivesvamps.vbs
- Size
  
  193KB
- MD5
  
  7b458417e456edfb8816b9f063dd7f4a
- SHA1
  
  c42d1ff212085b0bd1a150b1e4e0cca2d7cf0dfb
- SHA256
  
  097eb0cafefed7ddcab95345b850b7f8fa2ba518068275225d9b6a313e1f3491
- SHA512
  
  da58b88ee2a7af27061808331f9fd2d14bf8cb6cc94099f7b7effecfd376e7d6a577d475ac04b0c4ce38417a8110daa9d7e63851da1223d343b4c6701e51782b
- SSDEEP
  
  6144:9vsgtPU635A3VxHwQA4hCLx4kjjrPEZp95g+Z/TugoVD9EwM8YmhCXo+v9kaRKZv:B9v35ElxXhCLxdPP8/6
Score

10^/10

guloader collection downloader persistence
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

guloadercollectiondownloaderpersistence

behavioral2

guloaderdownloaderpersistence

© 2018-2024

Terms | Privacy