guloader | 51eb6f93ce575ef4eedabd514acd4114cf177bcbfeab9651eb9ce13c10912152 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

51eb6f93ce575ef4eedabd514acd4114cf177bcbfeab9651eb9ce13c10912152
Size

45KB
Sample

231101-armlyaga6t
MD5

cd4a682fb0201a9f50d9498bc00b9dfa
SHA1

56e36afb1fd723332e5d4301aa134a1665261ad3
SHA256

51eb6f93ce575ef4eedabd514acd4114cf177bcbfeab9651eb9ce13c10912152
SHA512

656b6fd4d919eac7a28a3695ad26f5601882c9d841cba3ee71fb1a8a5085146a0628d7d0e7fa86dc8e4bdb25a3c92704dac38777c35c6b7c2f0abee3b687026e
SSDEEP

768:4/JBtMcyFGvgkCTLhvDziOz1H8wox4P0wtxpVTthfXtGi3qS/UAtGsKTdu2gxvE:IBQTNvnig18wo+/txp1XtGi3qPAt+LgW

Score

10^/10

guloader xworm downloader persistence rat trojan

Malware Config

Targets

- Target
  
  RFQ-10004_PTT プロジェクト·pdf.vbs
- Size
  
  88KB
- MD5
  
  e694956dd9c113fbc759db1e978576a4
- SHA1
  
  5e901b13dc38ff3c934dda1d620ac2368f3026aa
- SHA256
  
  9d26fc8d853b4c53fb0fc10e84939790b8bcdc1d8c1c1de43ec36ff204ed5d92
- SHA512
  
  40b2e4d5bdfc2a6767ec7a92828de8d57c7c1685c8e671441ed6292261ae54022815f297970467f0ff11a78b8cd28c3a151188ceca558eae1b493518b128b436
- SSDEEP
  
  1536:AtWVkKDBxCjcPljwZ9tXbLZNyIi+CWiwKQtJHOXtS1Kiw2OFeBujpy4:aOFBxyc9jwZ95LRi+r3LtV2tSYiw2see
Score

10^/10

guloader downloader persistence xworm rat trojan
- Detect Xworm Payload
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

guloaderdownloaderpersistence

behavioral2

guloaderxwormdownloaderpersistencerattrojan