guloader | 7fb0f9a2a6f1d9b75dac31e00e70c38a0bc26d2451561a0b37444244e1ddd62d

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
14/07/2023, 15:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Factura 1-000816pdf.exe
Size

362KB
MD5

f022d5f21c803c1936e2c6f28f0f9240
SHA1

43e0065a86b944771992db8af0cad4ee86631aa4
SHA256

22b6816c45f86b303404b94b09b852a910d4ef335c05244c4acf6450ed86572b
SHA512

71996f172266f4b5ece2c2f374df618310df7f1e4e895a50337f955335dec9bea5403abf05fb96a2734184a9d121b52f11c65a244930f39d92aefb8bc61a9a2c
SSDEEP

6144:/oShfEPZVheNA+ff03j2NVag8mLWUkCs3dD1A2uwxMf6rbmOuGot:QqCnhe2e4j2627kCsERwGfvdt

Score

10^/10

guloader discovery downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	Factura 1-000816pdf.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	Factura 1-000816pdf.exe

Loads dropped DLL 1 IoCs

pid	Process
2584	Factura 1-000816pdf.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Interlocating\Supereligibleness.Var	Factura 1-000816pdf.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2584	Factura 1-000816pdf.exe
2860	Factura 1-000816pdf.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2584 set thread context of 2860	2584	Factura 1-000816pdf.exe	30

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\resources\Dicarpellary.ini	Factura 1-000816pdf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2584	Factura 1-000816pdf.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 2860	2584	Factura 1-000816pdf.exe	30
PID 2584 wrote to memory of 2860	2584	Factura 1-000816pdf.exe	30
PID 2584 wrote to memory of 2860	2584	Factura 1-000816pdf.exe	30
PID 2584 wrote to memory of 2860	2584	Factura 1-000816pdf.exe	30
PID 2584 wrote to memory of 2860	2584	Factura 1-000816pdf.exe	30

C:\Users\Admin\AppData\Local\Temp\Factura 1-000816pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Factura 1-000816pdf.exe"
1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Users\Admin\AppData\Local\Temp\Factura 1-000816pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Factura 1-000816pdf.exe"
  2⤵
  - Checks QEMU agent file
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsy8AC3.tmp\System.dll

Filesize
11KB

MD5
6ad39193ed20078aa1b23c33a1e48859

SHA1
95e70e4f47aa1689cc08afbdaef3ec323b5342fa

SHA256
b9631423a50c666faf2cc6901c5a8d6eb2fecd306fdd2524256b7e2e37b251c2

SHA512
78c89bb8c86f3b68e5314467eca4e8e922d143335081fa66b01d756303e1aec68ed01f4be7098dbe06a789ca32a0f31102f5ba408bc5ab28e61251611bb4f62b

Download Submit
memory/2584-62-0x0000000002D50000-0x0000000006049000-memory.dmp

Filesize
51.0MB

Download
memory/2584-63-0x0000000002D50000-0x0000000006049000-memory.dmp

Filesize
51.0MB

Download
memory/2584-64-0x0000000077440000-0x00000000775E9000-memory.dmp

Filesize
1.7MB

Download
memory/2584-65-0x0000000077630000-0x0000000077706000-memory.dmp

Filesize
856KB

Download
memory/2584-66-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2860-67-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2860-68-0x0000000001470000-0x0000000004769000-memory.dmp

Filesize
51.0MB

Download
memory/2860-69-0x0000000077440000-0x00000000775E9000-memory.dmp

Filesize
1.7MB

Download
memory/2860-70-0x0000000001470000-0x0000000004769000-memory.dmp

Filesize
51.0MB

Download
memory/2860-71-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download