guloader | 33146615b36e5718c7e8e69269f3c5cdf3ec72b525e24550da62b360f1360d30 | Triage

Submit
Reports

Overview

overview

Static

static

reciept_ 0...PG.vbs

windows7-x64

reciept_ 0...PG.vbs

windows10-2004-x64

Sharing

General

Target

reciept_ 0014010303102_JPG.vbs
Size

411KB
Sample

230202-nlk3tafh79
MD5

d26b9137f31c1c7296ea710bd71b3a59
SHA1

b37fcfde9230d8854a8bedb13203beffeb71df21
SHA256

33146615b36e5718c7e8e69269f3c5cdf3ec72b525e24550da62b360f1360d30
SHA512

ae88914f39a5b695003d77fe1d1bc06b3302f3956ed597125ab0f81f998b35019ec49320de833ed4201cccb98651a3e97ed142d38a84d3a4ebb1706bd8ab9ad6
SSDEEP

6144:JCj1ltFlJ1KxZheePFmYAcM2qQLIcK6wa31LBygR9T8nMs85HaUb4bWPJxxRBtps:Uj7tHP+3zzqVcK6egj4MJ5HaUbhv3ps

Score

10^/10

guloader collection downloader

Static task

static1

Behavioral task

behavioral1

Sample

reciept_ 0014010303102_JPG.vbs

Resource

win7-20221111-en

guloader collection downloader

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

reciept_ 0014010303102_JPG.vbs

Resource

win10v2004-20221111-en

guloader downloader

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Targets

- Target
  
  reciept_ 0014010303102_JPG.vbs
- Size
  
  411KB
- MD5
  
  d26b9137f31c1c7296ea710bd71b3a59
- SHA1
  
  b37fcfde9230d8854a8bedb13203beffeb71df21
- SHA256
  
  33146615b36e5718c7e8e69269f3c5cdf3ec72b525e24550da62b360f1360d30
- SHA512
  
  ae88914f39a5b695003d77fe1d1bc06b3302f3956ed597125ab0f81f998b35019ec49320de833ed4201cccb98651a3e97ed142d38a84d3a4ebb1706bd8ab9ad6
- SSDEEP
  
  6144:JCj1ltFlJ1KxZheePFmYAcM2qQLIcK6wa31LBygR9T8nMs85HaUb4bWPJxxRBtps:Uj7tHP+3zzqVcK6egj4MJ5HaUbhv3ps
Score

10^/10

guloader collection downloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

guloadercollectiondownloader

behavioral2

guloaderdownloader

© 2018-2024

Terms | Privacy