guloader | 34f1d59ffd6685828a5d172cfa3243a067c6d34133ecebdfd098d856402173a3 | Triage

Submit
Reports

Overview

overview

Static

static

097eb0cafe...91.vbs

windows7-x64

097eb0cafe...91.vbs

windows10-2004-x64

Sharing

General

Target

097eb0cafefed7ddcab95345b850b7f8fa2ba518068275225d9b6a313e1f3491.zip
Size

130KB
Sample

230114-w1mtysbf78
MD5

90bfa24e80e68831047ff6e1e01f8ff1
SHA1

9611c6cbd72ec87d3c3eed2477f68c12291c8038
SHA256

34f1d59ffd6685828a5d172cfa3243a067c6d34133ecebdfd098d856402173a3
SHA512

bf34be0677c9671bbb6766e240d96ab10bbb090e1a0cf1dfa275136e22321b615829d0deee445af7375c6b39142004b9700d42b3e1cf973b07b27728ffbc29bc
SSDEEP

3072:XiD+M3heuSlR108q3wjaAEak0qlSqRtOuAbecFBMHwL5sRRIO+bC:XC+t1Jq3wVWcqRtOZbRDMCO

Score

10^/10

guloader collection downloader persistence

Static task

static1

Behavioral task

behavioral1

Sample

097eb0cafefed7ddcab95345b850b7f8fa2ba518068275225d9b6a313e1f3491.vbs

Resource

win7-20221111-en

guloader collection downloader persistence

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

097eb0cafefed7ddcab95345b850b7f8fa2ba518068275225d9b6a313e1f3491.vbs

Resource

win10v2004-20220901-en

guloader downloader

windows10-2004-x64

9 signatures

150 seconds

Malware Config

Targets

- Target
  
  097eb0cafefed7ddcab95345b850b7f8fa2ba518068275225d9b6a313e1f3491.vbs
- Size
  
  193KB
- MD5
  
  7b458417e456edfb8816b9f063dd7f4a
- SHA1
  
  c42d1ff212085b0bd1a150b1e4e0cca2d7cf0dfb
- SHA256
  
  097eb0cafefed7ddcab95345b850b7f8fa2ba518068275225d9b6a313e1f3491
- SHA512
  
  da58b88ee2a7af27061808331f9fd2d14bf8cb6cc94099f7b7effecfd376e7d6a577d475ac04b0c4ce38417a8110daa9d7e63851da1223d343b4c6701e51782b
- SSDEEP
  
  6144:9vsgtPU635A3VxHwQA4hCLx4kjjrPEZp95g+Z/TugoVD9EwM8YmhCXo+v9kaRKZv:B9v35ElxXhCLxdPP8/6
Score

10^/10

guloader collection downloader persistence
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

guloadercollectiondownloaderpersistence

behavioral2

guloaderdownloader

© 2018-2024

Terms | Privacy