guloader | 98be1a60aeeb3e42443c670b0e9f185c07b776e2347b8f4e58f7cc85c12fb3e6 | Triage

Sharing

General

Target

98be1a60aeeb3e42443c670b0e9f185c07b776e2347b8f4e58f7cc85c12fb3e6
Size

100KB
Sample

230129-srtdlacb96
MD5

b4dbd048b22d8e94490388cae3c59928
SHA1

d001c360adec029f459b03cdb7bcad0bcf419814
SHA256

98be1a60aeeb3e42443c670b0e9f185c07b776e2347b8f4e58f7cc85c12fb3e6
SHA512

496a36a47ad1e58b0433d3d983b9b5225ba31a7ce899f66f41dca732476c7acd32d8482e11c4dec007b9190cb370fbade45dc0a265579ece573d01e45fd0ad6b
SSDEEP

1536:1WWTwV4fVhubszPs45N/igfQAIqcc0423pN1lA6XVCiHX:5wVUPhzEWN/NoKj23r1lA6XVCiX

Score

10^/10

guloader downloader

Malware Config

Extracted

Family

guloader

C2

https://cdn.discordapp.com/attachments/807722001241210933/813865812821409822/ePbJss27.bin

xor.base64

Targets

- Target
  
  98be1a60aeeb3e42443c670b0e9f185c07b776e2347b8f4e58f7cc85c12fb3e6
- Size
  
  100KB
- MD5
  
  b4dbd048b22d8e94490388cae3c59928
- SHA1
  
  d001c360adec029f459b03cdb7bcad0bcf419814
- SHA256
  
  98be1a60aeeb3e42443c670b0e9f185c07b776e2347b8f4e58f7cc85c12fb3e6
- SHA512
  
  496a36a47ad1e58b0433d3d983b9b5225ba31a7ce899f66f41dca732476c7acd32d8482e11c4dec007b9190cb370fbade45dc0a265579ece573d01e45fd0ad6b
- SSDEEP
  
  1536:1WWTwV4fVhubszPs45N/igfQAIqcc0423pN1lA6XVCiHX:5wVUPhzEWN/NoKj23r1lA6XVCiX
Score

10^/10

guloader downloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

guloaderdownloader

behavioral2

guloaderdownloader