guloader | 09454cff8e1b6d8a06a3731f417fc2e86d61cffccf2cab60064e7f7a1672f4b4 | Triage

Submit
Reports

Overview

overview

Static

static

Destinatio...df.exe

windows7-x64

Destinatio...df.exe

windows10-2004-x64

Sharing

General

Target

Destination Document pdf.exe
Size

620KB
Sample

230131-gzwyxage5z
MD5

aa62920130adcf9c00c3c8af9b059b23
SHA1

c579411fefdf3006dc176b193f6dda8b07da0fe6
SHA256

09454cff8e1b6d8a06a3731f417fc2e86d61cffccf2cab60064e7f7a1672f4b4
SHA512

89e08b13c3e21f729fec3523ce412a513da90c24d4eb6ee5cdc08ceebc6b1e3c13e3ca4102bdb4e87322555b0b1a810eefb2eb8c0a3dd5603208e63994bdc086
SSDEEP

12288:b7EWNDJccwIWYh7j7TY3POh48Wfb9g5stErYyqJNBUcNjRtBnMAr8D:MUlyYtj7EojiB5Er/qPBUsNfCD

Score

10^/10

guloader discovery downloader

Static task

static1

Behavioral task

behavioral1

Sample

Destination Document pdf.exe

Resource

win7-20220812-en

guloader discovery downloader

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

Destination Document pdf.exe

Resource

win10v2004-20220812-en

guloader discovery downloader

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Targets

- Target
  
  Destination Document pdf.exe
- Size
  
  620KB
- MD5
  
  aa62920130adcf9c00c3c8af9b059b23
- SHA1
  
  c579411fefdf3006dc176b193f6dda8b07da0fe6
- SHA256
  
  09454cff8e1b6d8a06a3731f417fc2e86d61cffccf2cab60064e7f7a1672f4b4
- SHA512
  
  89e08b13c3e21f729fec3523ce412a513da90c24d4eb6ee5cdc08ceebc6b1e3c13e3ca4102bdb4e87322555b0b1a810eefb2eb8c0a3dd5603208e63994bdc086
- SSDEEP
  
  12288:b7EWNDJccwIWYh7j7TY3POh48Wfb9g5stErYyqJNBUcNjRtBnMAr8D:MUlyYtj7EojiB5Er/qPBUsNfCD
Score

10^/10

guloader discovery downloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

guloaderdiscoverydownloader

behavioral2

guloaderdiscoverydownloader

© 2018-2024

Terms | Privacy