guloader | f34af4e240968da5243075917a094299d81806908f1eccec9ef7aeb6ebbbb21a | Triage

Submit
Reports

Overview

overview

Static

static

1

Univerzita...df.exe

windows7-x64

Univerzita...df.exe

windows10-2004-x64

Sharing

General

Target

Univerzita Komenského RFQ 15-02-2023·pdf.exe
Size

302KB
Sample

230215-sdblmacb2z
MD5

4f2b1399d057a2f1f9606a38a2f79cd3
SHA1

da6499d8a651515cb36bc6842e74500002312bf0
SHA256

f34af4e240968da5243075917a094299d81806908f1eccec9ef7aeb6ebbbb21a
SHA512

0da1f6e50c9cd979695ab64acbc487da64b160e313ac8e04b3a9c370643c90b3906f9ab4891f5f459245bc318666f1dd1be44bc85121165f98ff1bc571a4e5b9
SSDEEP

6144:i5lz/h074FnBrDVC3mMIm35HXZc66fugtSvjiT+Vj5qtrOWlGdwCb:C4cFnHur5ib20SvM+ytrOqgXb

Score

10^/10

guloader warzonerat discovery downloader infostealer persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

Univerzita Komenského RFQ 15-02-2023·pdf.exe

Resource

win7-20220812-en

guloader warzonerat discovery downloader infostealer persistence rat

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

Univerzita Komenského RFQ 15-02-2023·pdf.exe

Resource

win10v2004-20221111-en

guloader warzonerat downloader infostealer persistence rat

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Targets

- Target
  
  Univerzita Komenského RFQ 15-02-2023·pdf.exe
- Size
  
  302KB
- MD5
  
  4f2b1399d057a2f1f9606a38a2f79cd3
- SHA1
  
  da6499d8a651515cb36bc6842e74500002312bf0
- SHA256
  
  f34af4e240968da5243075917a094299d81806908f1eccec9ef7aeb6ebbbb21a
- SHA512
  
  0da1f6e50c9cd979695ab64acbc487da64b160e313ac8e04b3a9c370643c90b3906f9ab4891f5f459245bc318666f1dd1be44bc85121165f98ff1bc571a4e5b9
- SSDEEP
  
  6144:i5lz/h074FnBrDVC3mMIm35HXZc66fugtSvjiT+Vj5qtrOWlGdwCb:C4cFnHur5ib20SvM+ytrOqgXb
Score

10^/10

guloader warzonerat discovery downloader infostealer persistence rat
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Web Service

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

guloaderwarzoneratdiscoverydownloaderinfostealerpersistencerat

behavioral2

guloaderwarzoneratdownloaderinfostealerpersistencerat

© 2018-2025

Terms | Privacy