guloader | 19414e87fa7d0c6264b94810039b0465efd408d65efa70f62e9a8ec5ea8f222e | Triage

Submit
Reports

Overview

overview

Static

static

1

Purchase order.vbe

windows7-x64

Purchase order.vbe

windows10-2004-x64

Sharing

Copy URL Twitter E-mail

General

Target

Purchase order.vbe
Size

13KB
Sample

230328-wcb3jscc89
MD5

496ff1fed502e29c071482cb102610c9
SHA1

6f5687c69e8ca873e26f1ee6b10d0ac8d1bbbb90
SHA256

19414e87fa7d0c6264b94810039b0465efd408d65efa70f62e9a8ec5ea8f222e
SHA512

829dfd71bd579be926e6cde629916868f63d18a2a9238c5362b0785b28fa21c31551fd3b78561d8fec2409d2acf2a96cb2beb242ad877f060311388d585cf2bb
SSDEEP

192:o9Al45haj3WuQYv5IdbcBoqEmeZx1zxqNklStddP93YBn/w7c0O23N/rgjKmrF:o9Z7Mvyl+NqZYNdtp30I/xmZ

Score

10^/10

guloader downloader persistence spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

Purchase order.vbe

Resource

win7-20230220-en

guloader downloader persistence spyware stealer

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

Purchase order.vbe

Resource

win10v2004-20230220-en

guloader downloader persistence

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Targets

- Target
  
  Purchase order.vbe
- Size
  
  13KB
- MD5
  
  496ff1fed502e29c071482cb102610c9
- SHA1
  
  6f5687c69e8ca873e26f1ee6b10d0ac8d1bbbb90
- SHA256
  
  19414e87fa7d0c6264b94810039b0465efd408d65efa70f62e9a8ec5ea8f222e
- SHA512
  
  829dfd71bd579be926e6cde629916868f63d18a2a9238c5362b0785b28fa21c31551fd3b78561d8fec2409d2acf2a96cb2beb242ad877f060311388d585cf2bb
- SSDEEP
  
  192:o9Al45haj3WuQYv5IdbcBoqEmeZx1zxqNklStddP93YBn/w7c0O23N/rgjKmrF:o9Z7Mvyl+NqZYNdtp30I/xmZ
Score

10^/10

guloader downloader persistence spyware stealer
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Web Service

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

guloaderdownloaderpersistencespywarestealer

behavioral2

guloaderdownloaderpersistence

© 2018-2025

Terms | Privacy