guloader | 2e6a8bb2fcfef5cdc29aa03bfe22b01ebe7b3f71e09ad302dec93d672d1c3141 | Triage

Submit
Reports

Overview

overview

Static

static

a74960472a...2b.exe

windows7-x64

a74960472a...2b.exe

windows10-2004-x64

Sharing

General

Target

a74960472ab338a421fb56948e742f2b.exe
Size

619KB
Sample

230201-thd3zsce21
MD5

a74960472ab338a421fb56948e742f2b
SHA1

c39bd553f3a1b8147f98056f8ea81bb6d6099b1e
SHA256

2e6a8bb2fcfef5cdc29aa03bfe22b01ebe7b3f71e09ad302dec93d672d1c3141
SHA512

7cbbc8d2ba0202370a82bbd2f24a7123a364e41a89c6f1f5472f702c91cac9f976ea1189c32462f97e5bff8c46978c691df9260945eeefb5054b09b65289da9d
SSDEEP

12288:b7EWNDJccwIWYh7jQ4+ngZnz/B4WW3nVVP7ntr9+E78MNv1z2qcNjRtBnMAr8+:MUlyYtjQ4UWz/B4vT7CE78YvjsNfC+

Score

10^/10

guloader discovery downloader persistence

Static task

static1

Behavioral task

behavioral1

Sample

a74960472ab338a421fb56948e742f2b.exe

Resource

win7-20221111-en

guloader discovery downloader persistence

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

a74960472ab338a421fb56948e742f2b.exe

Resource

win10v2004-20221111-en

guloader discovery downloader persistence

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Targets

- Target
  
  a74960472ab338a421fb56948e742f2b.exe
- Size
  
  619KB
- MD5
  
  a74960472ab338a421fb56948e742f2b
- SHA1
  
  c39bd553f3a1b8147f98056f8ea81bb6d6099b1e
- SHA256
  
  2e6a8bb2fcfef5cdc29aa03bfe22b01ebe7b3f71e09ad302dec93d672d1c3141
- SHA512
  
  7cbbc8d2ba0202370a82bbd2f24a7123a364e41a89c6f1f5472f702c91cac9f976ea1189c32462f97e5bff8c46978c691df9260945eeefb5054b09b65289da9d
- SSDEEP
  
  12288:b7EWNDJccwIWYh7jQ4+ngZnz/B4WW3nVVP7ntr9+E78MNv1z2qcNjRtBnMAr8+:MUlyYtjQ4UWz/B4vT7CE78YvjsNfC+
Score

10^/10

guloader discovery downloader persistence
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

guloaderdiscoverydownloaderpersistence

behavioral2

guloaderdiscoverydownloaderpersistence

© 2018-2024

Terms | Privacy