guloader | c1435f8fc9a6ffb253811a74d4016f73248b7226d6d5b458c3bf960ee3a38005 | Triage

Submit
Reports

Overview

overview

Static

static

transferencia.....vbe

windows7-x64

transferencia.....vbe

windows10-2004-x64

Sharing

General

Target

transferencia.....vbe
Size

60KB
Sample

230202-nlk3tafh78
MD5

880b795347b76a1660b3dfcae7bc28f7
SHA1

dd398c1781ddd4f3e69036f4dadde6c643cacd44
SHA256

c1435f8fc9a6ffb253811a74d4016f73248b7226d6d5b458c3bf960ee3a38005
SHA512

e3ff92ca5ed3cc63bd8e1213a79dfc2574e0e39a126ece3d5890062eccc56ba23efe8f4301e71e3ad1fd3b1f88f9253e8d16d3fe0b73d5e78530f25cd80a7ccc
SSDEEP

768:FlRe1yyO99pKzl2VT1Gxxy4tH/dD/ASEGZU2L7Y+yk10iGfzi945EriK:F3GyvLpylJxdfawKQNVMErd

Score

10^/10

guloader collection downloader

Static task

static1

Behavioral task

behavioral1

Sample

transferencia.....vbe

Resource

win7-20221111-en

guloader collection downloader

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

transferencia.....vbe

Resource

win10v2004-20220812-en

guloader downloader

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=1dzg1926pnDm935d_Cm4TREqzX4j7oxJl

Targets

- Target
  
  transferencia.....vbe
- Size
  
  60KB
- MD5
  
  880b795347b76a1660b3dfcae7bc28f7
- SHA1
  
  dd398c1781ddd4f3e69036f4dadde6c643cacd44
- SHA256
  
  c1435f8fc9a6ffb253811a74d4016f73248b7226d6d5b458c3bf960ee3a38005
- SHA512
  
  e3ff92ca5ed3cc63bd8e1213a79dfc2574e0e39a126ece3d5890062eccc56ba23efe8f4301e71e3ad1fd3b1f88f9253e8d16d3fe0b73d5e78530f25cd80a7ccc
- SSDEEP
  
  768:FlRe1yyO99pKzl2VT1Gxxy4tH/dD/ASEGZU2L7Y+yk10iGfzi945EriK:F3GyvLpylJxdfawKQNVMErd
Score

10^/10

guloader collection downloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Blocklisted process makes network request
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

guloadercollectiondownloader

behavioral2

guloaderdownloader

© 2018-2024

Terms | Privacy