guloader | 35b7f8f367d09665365f36797864f1d2cc886b1e338bb55773c4d20bd03b0a44

General

Target

7t7yo1ace.ace
Size

330KB
Sample

230629-tnzxmseb36
MD5

160107068d93a6e0c0f4e306781a71ee
SHA1

ae5372c6fc1bba6a2d89cfd62cc15718c0734704
SHA256

35b7f8f367d09665365f36797864f1d2cc886b1e338bb55773c4d20bd03b0a44
SHA512

41c6dd70e6ad6eefd96dd6765fd89264da1986bf129a2bb7d9a3d75e912257b031313ce7f5e5fb7ade51ae16d46cbc33968ec44a7bd4a3565bbf9b2468f5b406
SSDEEP

6144:zbfXkzoEhOuJbF7hLHIeO1EfkSZD7LDprvujhKlEvetbsNKyKXAqfO:zwl5RhbUgLZHL1rGrehsNK3AD

Score

10^/10

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

jmtjmt.ddns.net:31286

127.0.0.1:31286

Mutex

46c9bda4-e125-4dd5-a6bc-9534e28e6f57

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
37.235.1.177
buffer_size
65535
build_time
2023-04-07T22:07:05.637187936Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
31286
default_group
MILLION
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
46c9bda4-e125-4dd5-a6bc-9534e28e6f57
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
jmtjmt.ddns.net
primary_dns_server
37.235.1.174
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  Geo Ltd_doc_Invoice_img_021113210211.exe
- Size
  
  402KB
- MD5
  
  dc29a3a35a1663ab09f9eaa8c206358d
- SHA1
  
  46bd5ff1f3bcee5d6eaa9a83934e285e81c67e8a
- SHA256
  
  6aed342a5d0971e9b0b9f962f810d5f439b677905292e744abae9d78a9faacfa
- SHA512
  
  836121365cc99519435970993744a9723f19c10476b1caac466b82d393544c57c11ea7f14b0508c304283d2d6266e4025f126abc6e8001e24a30c4ecedf6e413
- SSDEEP
  
  6144:EspNjlsz0aRDCs8c8ewoeslml+dHRcHck62PHlvwcSlyuaYit4ylMvKGc:EciTR2seeflHETplvbUyuuWCp
Score

10^/10

guloader discovery downloader persistence nanocore keylogger spyware stealer trojan
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Loads dropped DLL
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Guloader,Cloudeye

NanoCore

Checks QEMU agent file

Loads dropped DLL

Unexpected DNS network traffic destination

Adds Run key to start application

Checks installed software on the system

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2