guloader | 4ef3b9bb1838d76bda8e4e09b033c1948ed6d96c4df1962d7e8b3006ac121158 | Triage

Sharing

General

Target

4ef3b9bb1838d76bda8e4e09b033c1948ed6d96c4df1962d7e8b3006ac121158
Size

104KB
Sample

230129-vhlcqsed74
MD5

76bdd809f1bf5dbe375dc15749932959
SHA1

e31ec86484cb2bf3b560e2f611e04fa8e4e702dd
SHA256

4ef3b9bb1838d76bda8e4e09b033c1948ed6d96c4df1962d7e8b3006ac121158
SHA512

3bd57143ff5dda15db19ec33aec123d9df8852c7f804bf499c7d59b100d545c106badf34040a634dbd9bfd62f8c94500b46d6dbff8366afb2dc956796e9e81c2
SSDEEP

1536:cb4/EQxklOmCBboyKAqJk3uNdzh1Syj4OPio8b4/EQx:8Iboy+6Kayj4ON

Score

10^/10

guloader downloader guloader

Malware Config

Extracted

Family

guloader

C2

http://mtspsmjeli.sch.id/cl/Maly%20nanocre%202021_ECMFFfzt176.bin

xor.base64

Targets

- Target
  
  4ef3b9bb1838d76bda8e4e09b033c1948ed6d96c4df1962d7e8b3006ac121158
- Size
  
  104KB
- MD5
  
  76bdd809f1bf5dbe375dc15749932959
- SHA1
  
  e31ec86484cb2bf3b560e2f611e04fa8e4e702dd
- SHA256
  
  4ef3b9bb1838d76bda8e4e09b033c1948ed6d96c4df1962d7e8b3006ac121158
- SHA512
  
  3bd57143ff5dda15db19ec33aec123d9df8852c7f804bf499c7d59b100d545c106badf34040a634dbd9bfd62f8c94500b46d6dbff8366afb2dc956796e9e81c2
- SSDEEP
  
  1536:cb4/EQxklOmCBboyKAqJk3uNdzh1Syj4OPio8b4/EQx:8Iboy+6Kayj4ON
Score

10^/10

guloader downloader guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Guloader payload
  guloader
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

guloaderdownloaderguloader

behavioral2