guloader | de1f58a34c4ebcf1d15f7a46c522985d8b6980612fc5a91c0404ab229e949b97 | Triage

Submit
Reports

Overview

overview

Static

static

Purchase I...df.exe

windows7-x64

Purchase I...df.exe

windows10-2004-x64

Sharing

General

Target

Purchase Inquiry_NBI-20190123_pdf.rar
Size

520KB
Sample

230119-jm21hafd68
MD5

6524b965bd8d8ab4c17ebae607759200
SHA1

659c33b542a7b4656c4c142706d200bc94e2a208
SHA256

de1f58a34c4ebcf1d15f7a46c522985d8b6980612fc5a91c0404ab229e949b97
SHA512

ca773254ef9bc876c4bcab1ab20dae163653c6f3805e4075180ba76efd8af14949a3ee90ec5d66e78a1bd2bb50830ca90dbccbc6c76db05d8645d3d956fff644
SSDEEP

12288:C4VV4FCQWQd2cpkpwPSLCxNTFHdT400CMvXJbja0wFf:C3FCu2lpoaCxpT400CMfJxw9

Score

10^/10

guloader collection discovery downloader persistence

Static task

static1

Behavioral task

behavioral1

Sample

Purchase Inquiry_NBI-20190123_pdf.exe

Resource

win7-20221111-en

guloader collection discovery downloader persistence

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

Purchase Inquiry_NBI-20190123_pdf.exe

Resource

win10v2004-20221111-en

guloader discovery downloader persistence

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Targets

- Target
  
  Purchase Inquiry_NBI-20190123_pdf.exe
- Size
  
  814KB
- MD5
  
  6e46c58d54f6f133e9b30a157fa46005
- SHA1
  
  33d1dcb3fa5f4a957dac5f6c9fa81c6bba71e114
- SHA256
  
  40ffe1b0d408557aab2b0c0399bd37102a62439d9d62caab05a4b7fe501b7382
- SHA512
  
  ef1eef94d6a5f199f1ce6c00591585cdfbbbf2479e6e9e1f70ced47c9258bde12f98296d26fc4c3055f984d9ec2b493c1868857dd516524248873c2fa219a7cc
- SSDEEP
  
  12288:/zHSwv6XXvvY1+H8yg8kI/W0GJKzoeFG0UrMcsCZ/Ug5X5UWoHY:mY6XXIUc0hGJKzrUryCZ/
Score

10^/10

guloader collection discovery downloader persistence
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

guloadercollectiondiscoverydownloaderpersistence

behavioral2

guloaderdiscoverydownloaderpersistence

© 2018-2024

Terms | Privacy