guloader | caad589daa525d04613405455e0304f0197ea33a3aa9e8152a99249dac2f42a4 | Triage

Submit
Reports

Overview

overview

Static

static

caad589daa...a4.exe

windows7-x64

caad589daa...a4.exe

windows10-2004-x64

Sharing

General

Target

caad589daa525d04613405455e0304f0197ea33a3aa9e8152a99249dac2f42a4
Size

132KB
Sample

230129-1wb9waed82
MD5

dfdbbafef5cf6b3358a099dac867fec6
SHA1

fa970f770679a60d0eea9f7e834414335a547721
SHA256

caad589daa525d04613405455e0304f0197ea33a3aa9e8152a99249dac2f42a4
SHA512

5f248feb2c07bd8041d54d620219ef807cdbaa296d657b73063ec38093588049cc12f190164433a9c3be7278b63e5cb224f2e173117426b52c61a004df362b30
SSDEEP

1536:AZHtnIRYS5/Cac/Lo58OT4o/jbkZGcEXH+zX6JaB4a1L73rGUn2MEz:Ph6g8CRTHSNB4a137GU2X

Score

10^/10

guloader downloader guloader persistence

Static task

static1

Behavioral task

behavioral1

Sample

caad589daa525d04613405455e0304f0197ea33a3aa9e8152a99249dac2f42a4.exe

Resource

win7-20221111-en

guloader downloader guloader persistence

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

caad589daa525d04613405455e0304f0197ea33a3aa9e8152a99249dac2f42a4.exe

Resource

win10v2004-20220901-en

guloader downloader guloader persistence

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Extracted

Family

guloader

C2

https://drive.google.com/uc?export=download&id=1-HLxBTGgDQAJoi4W7itkL8n6nA0XOFJK

xor.base64

Targets

- Target
  
  caad589daa525d04613405455e0304f0197ea33a3aa9e8152a99249dac2f42a4
- Size
  
  132KB
- MD5
  
  dfdbbafef5cf6b3358a099dac867fec6
- SHA1
  
  fa970f770679a60d0eea9f7e834414335a547721
- SHA256
  
  caad589daa525d04613405455e0304f0197ea33a3aa9e8152a99249dac2f42a4
- SHA512
  
  5f248feb2c07bd8041d54d620219ef807cdbaa296d657b73063ec38093588049cc12f190164433a9c3be7278b63e5cb224f2e173117426b52c61a004df362b30
- SSDEEP
  
  1536:AZHtnIRYS5/Cac/Lo58OT4o/jbkZGcEXH+zX6JaB4a1L73rGUn2MEz:Ph6g8CRTHSNB4a137GU2X
Score

10^/10

guloader downloader guloader persistence
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Guloader payload
  guloader
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

guloaderdownloaderguloaderpersistence

behavioral2

guloaderdownloaderguloaderpersistence

© 2018-2024

Terms | Privacy