guloader | 49c664a223499b26d21c32fa465d34dda9c824a3940eda061ea8ccfdac003a3a | Triage

Submit
Reports

Overview

overview

Static

static

3

Gardenizes.exe

windows7-x64

Gardenizes.exe

windows10-2004-x64

Sharing

General

Target

Gardenizes.exe
Size

526KB
Sample

230530-xqyn5sbc37
MD5

272af9392194c64dd28d80bc09098a11
SHA1

5b87e32283412d27880e43db5670ac05591e5fb5
SHA256

49c664a223499b26d21c32fa465d34dda9c824a3940eda061ea8ccfdac003a3a
SHA512

f332313483d647f80c9d521cdce765cbebabe0dbd6f3e1467c723c597e09056f33f0849c785a76496f74a5c23bd04431b5246429e8e18e4bf3d5bbd9e48a409b
SSDEEP

12288:cVl7xI2ap5h9xrmJJlFdOmwLGIPpfjVHmDTiCba6fR:cb7xI2ap55momV8FjVHmO6fR

Score

10^/10

guloader discovery downloader

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Gardenizes.exe

Resource

win7-20230220-en

guloader discovery downloader

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

Gardenizes.exe

Resource

win10v2004-20230220-en

guloader discovery downloader

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Targets

- Target
  
  Gardenizes.exe
- Size
  
  526KB
- MD5
  
  272af9392194c64dd28d80bc09098a11
- SHA1
  
  5b87e32283412d27880e43db5670ac05591e5fb5
- SHA256
  
  49c664a223499b26d21c32fa465d34dda9c824a3940eda061ea8ccfdac003a3a
- SHA512
  
  f332313483d647f80c9d521cdce765cbebabe0dbd6f3e1467c723c597e09056f33f0849c785a76496f74a5c23bd04431b5246429e8e18e4bf3d5bbd9e48a409b
- SSDEEP
  
  12288:cVl7xI2ap5h9xrmJJlFdOmwLGIPpfjVHmDTiCba6fR:cb7xI2ap55momV8FjVHmO6fR
Score

10^/10

guloader discovery downloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

guloaderdiscoverydownloader

behavioral2

guloaderdiscoverydownloader

© 2018-2025

Terms | Privacy