guloader | d989ab685c59463a2ae115503881d520032409525de9846d458583e4ad75fc15

General

Target

Geparders.exe
Size

280KB
MD5

d5483fe9cbf398d6af54199dce725081
SHA1

0149da2dd3a686c11f8a6791f6ce6057b6df2923
SHA256

d989ab685c59463a2ae115503881d520032409525de9846d458583e4ad75fc15
SHA512

8f8dd65fabda42d7dbe345dee8f38b3b0030f50bf229b3154d804b0380eb00b0acfe57160c374c24618518f79020463c3fd9d2f226e20dc4f7776e47638b8c97
SSDEEP

6144:+lJZfr5Bt16Ofo1vMLI1rGV0BV6PQvI8WWrY6efDBY9QPQzCK2u:+lj5BJ6vlrQxQvI8HY6efQwQzCK2u

Score

10^/10

guloader downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	Geparders.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	Geparders.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Control Panel\International\Geo\Nation	Geparders.exe

Loads dropped DLL 1 IoCs

pid	Process
1544	Geparders.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1324	Geparders.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1544	Geparders.exe
1324	Geparders.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1544 set thread context of 1324	1544	Geparders.exe	28
PID 1324 set thread context of 1544	1324	Geparders.exe	27

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\resources\Lumbocolostomy\Bedrifts.Bil	Geparders.exe
File opened for modification	C:\Windows\resources\Skrivningen.ini	Geparders.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1324	Geparders.exe
1324	Geparders.exe
1324	Geparders.exe
1324	Geparders.exe
1324	Geparders.exe
1324	Geparders.exe
1324	Geparders.exe
1324	Geparders.exe
1324	Geparders.exe
1324	Geparders.exe
1324	Geparders.exe
1324	Geparders.exe
1324	Geparders.exe
1324	Geparders.exe
1324	Geparders.exe
1324	Geparders.exe
1324	Geparders.exe
1324	Geparders.exe
1324	Geparders.exe
1324	Geparders.exe
1324	Geparders.exe
1324	Geparders.exe
1324	Geparders.exe
1324	Geparders.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1544	Geparders.exe
1324	Geparders.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1324	Geparders.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 1324	1544	Geparders.exe	28
PID 1544 wrote to memory of 1324	1544	Geparders.exe	28
PID 1544 wrote to memory of 1324	1544	Geparders.exe	28
PID 1544 wrote to memory of 1324	1544	Geparders.exe	28
PID 1544 wrote to memory of 1324	1544	Geparders.exe	28
PID 1544 wrote to memory of 452	1544	Geparders.exe	31
PID 1544 wrote to memory of 452	1544	Geparders.exe	31
PID 1544 wrote to memory of 452	1544	Geparders.exe	31
PID 1544 wrote to memory of 452	1544	Geparders.exe	31

C:\Users\Admin\AppData\Local\Temp\Geparders.exe
"C:\Users\Admin\AppData\Local\Temp\Geparders.exe"
1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Users\Admin\AppData\Local\Temp\Geparders.exe
  "C:\Users\Admin\AppData\Local\Temp\Geparders.exe"
  2⤵
  - Checks QEMU agent file
  - Checks computer location settings
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  PID:1324
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\SysWOW64\netsh.exe"
  2⤵
  PID:452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Skrivningen.ini

Filesize
42B

MD5
70a4047dae48947952460c5ff242ca5b

SHA1
38aee314c1ef56eedaf03930149862391c850228

SHA256
7596a5e2cc8da4c9899ee863688dc2c4f8fa47698874009317e0243d6f8d0734

SHA512
ab5881b6e1ef76006bba51d0bb623c771f73aa763886cea43a9f9e31240c29731569cc63bae1cba95e8d99b92bcae41d41282e873fe8f291f273c3a18b09dadd

Download Submit
\Users\Admin\AppData\Local\Temp\nsy101A.tmp\System.dll

Filesize
11KB

MD5
fc90dfb694d0e17b013d6f818bce41b0

SHA1
3243969886d640af3bfa442728b9f0dff9d5f5b0

SHA256
7fe77ca13121a113c59630a3dba0c8aaa6372e8082393274da8f8608c4ce4528

SHA512
324f13aa7a33c6408e2a57c3484d1691ecee7c3c1366de2bb8978c8dc66b18425d8cab5a32d1702c13c43703e36148a022263de7166afdce141da2b01169f1c6

Download Submit
memory/1324-75-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1324-72-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1324-73-0x0000000001470000-0x0000000003F1D000-memory.dmp

Filesize
42.7MB

Download
memory/1324-98-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1324-99-0x0000000001470000-0x0000000003F1D000-memory.dmp

Filesize
42.7MB

Download
memory/1324-100-0x0000000001470000-0x0000000003F1D000-memory.dmp

Filesize
42.7MB

Download
memory/1324-101-0x0000000034480000-0x0000000034783000-memory.dmp

Filesize
3.0MB

Download
memory/1324-103-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1544-74-0x0000000003870000-0x000000000631D000-memory.dmp

Filesize
42.7MB

Download
memory/1544-71-0x0000000003870000-0x000000000631D000-memory.dmp

Filesize
42.7MB

Download
memory/1544-102-0x0000000006520000-0x00000000065D4000-memory.dmp

Filesize
720KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads