guloader | 1f31c47ed2cfe4188f81cfc0830897872012fa3c8c045ecc8844a42020c07189

Analysis

max time kernel
157s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f31c47ed2cfe4188f81cfc0830897872012fa3c8c045ecc8844a42020c07189.exe
Size

641KB
MD5

3252c14066a6827fea1b53888393215c
SHA1

0d4a686e8aa4b3c697105e3d42bf2e81a14b97db
SHA256

1f31c47ed2cfe4188f81cfc0830897872012fa3c8c045ecc8844a42020c07189
SHA512

d5d7f3c6c3dcc36922eb78262d37ecec4e86100c0e23b720b1d5c5a76a24f05a0358a3f35a710cf7ac72042a6fc508d10731313328158de9a5ba796618952bc6
SSDEEP

12288:CyT3x2wQNot/f7XCZF5z5I4OtdB2Q2Bdg+QRQhFle9APRLH:1x2VNot/fmb31OtdB2Q2BK7cFlRT

Score

10^/10

guloader warzonerat downloader infostealer rat

Malware Config

Extracted

Family

warzonerat

mad.unicornsupplychains.com:42

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 3 IoCs

resource	yara_rule
behavioral2/memory/1676-191-0x00000000004A0000-0x00000000016F4000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/1676-195-0x00000000004A0000-0x00000000016F4000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/1676-197-0x00000000004A0000-0x00000000016F4000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables embedding command execution via IExecuteCommand COM object 3 IoCs

resource	yara_rule
behavioral2/memory/1676-191-0x00000000004A0000-0x00000000016F4000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM
behavioral2/memory/1676-195-0x00000000004A0000-0x00000000016F4000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM
behavioral2/memory/1676-197-0x00000000004A0000-0x00000000016F4000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM

Warzone RAT payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/1676-191-0x00000000004A0000-0x00000000016F4000-memory.dmp	warzonerat
behavioral2/memory/1676-195-0x00000000004A0000-0x00000000016F4000-memory.dmp	warzonerat
behavioral2/memory/1676-197-0x00000000004A0000-0x00000000016F4000-memory.dmp	warzonerat

Loads dropped DLL 2 IoCs

pid	Process
5020	1f31c47ed2cfe4188f81cfc0830897872012fa3c8c045ecc8844a42020c07189.exe
5020	1f31c47ed2cfe4188f81cfc0830897872012fa3c8c045ecc8844a42020c07189.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\betrayal\Ejektor119.ini	1f31c47ed2cfe4188f81cfc0830897872012fa3c8c045ecc8844a42020c07189.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1676	1f31c47ed2cfe4188f81cfc0830897872012fa3c8c045ecc8844a42020c07189.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
5020	1f31c47ed2cfe4188f81cfc0830897872012fa3c8c045ecc8844a42020c07189.exe
1676	1f31c47ed2cfe4188f81cfc0830897872012fa3c8c045ecc8844a42020c07189.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5020 set thread context of 1676	5020	1f31c47ed2cfe4188f81cfc0830897872012fa3c8c045ecc8844a42020c07189.exe	95

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\inshrining\Ernringsekspertens.ini	1f31c47ed2cfe4188f81cfc0830897872012fa3c8c045ecc8844a42020c07189.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
5020	1f31c47ed2cfe4188f81cfc0830897872012fa3c8c045ecc8844a42020c07189.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 1676	5020	1f31c47ed2cfe4188f81cfc0830897872012fa3c8c045ecc8844a42020c07189.exe	95
PID 5020 wrote to memory of 1676	5020	1f31c47ed2cfe4188f81cfc0830897872012fa3c8c045ecc8844a42020c07189.exe	95
PID 5020 wrote to memory of 1676	5020	1f31c47ed2cfe4188f81cfc0830897872012fa3c8c045ecc8844a42020c07189.exe	95
PID 5020 wrote to memory of 1676	5020	1f31c47ed2cfe4188f81cfc0830897872012fa3c8c045ecc8844a42020c07189.exe	95
PID 5020 wrote to memory of 1676	5020	1f31c47ed2cfe4188f81cfc0830897872012fa3c8c045ecc8844a42020c07189.exe	95

C:\Users\Admin\AppData\Local\Temp\1f31c47ed2cfe4188f81cfc0830897872012fa3c8c045ecc8844a42020c07189.exe
"C:\Users\Admin\AppData\Local\Temp\1f31c47ed2cfe4188f81cfc0830897872012fa3c8c045ecc8844a42020c07189.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Users\Admin\AppData\Local\Temp\1f31c47ed2cfe4188f81cfc0830897872012fa3c8c045ecc8844a42020c07189.exe
  "C:\Users\Admin\AppData\Local\Temp\1f31c47ed2cfe4188f81cfc0830897872012fa3c8c045ecc8844a42020c07189.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cambo.ini

Filesize
29B

MD5
ba9c44050017613c5b4abb5bd41ed0ac

SHA1
e8cf4b17d67b82a39d86d242622abf2e4a4424cb

SHA256
914eaa50ef8a04eacf964a98c95a39af43e7597dfa0fa33d5d729946cc88cbf6

SHA512
f3ae105459083ef9139bee4fd8d7c37b8d412648a9d29c16c4dc5b24303423cde83fb3c6e834bf28a6d1bbcb10e4abe85171e7e47cce18c67d5e49d9289e5e3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cambo.ini

Filesize
29B

MD5
24d80a2bd6889dde7ebd67fb8411c4be

SHA1
37ad40243ff7582ed86efb3e3acbb0d7a50d0fa0

SHA256
8c64cbe1b7f51d02c635e71070e9bc923cde591c742f7ce533f3ca9fa5588778

SHA512
3dbe6fdde5f58829c3e160c1c23f463abb2d271122a9bc7a96409889e1ad04305ee905907423b0062360050bd604ba87578b7bdfbde4b2bebed0a4f746328bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cambo.ini

Filesize
29B

MD5
827da90b19cc5d6bfc07304dc266a7ac

SHA1
79dcee7b7386cba4ed3a7e7c9c55d592b70b48e6

SHA256
08c947685c9dea48313fd28701a66c589b3f25cf1b5036b858ac41c073cc4770

SHA512
1cf3be14bd82a3c36748379d75af674446fdaf029bcbd3bf16f7e921fda008e452b5ed246b0f77dc39d16212c8908c2da8c31f6a0d8f6e7a6935c993a887905d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cambo.ini

Filesize
29B

MD5
e593715af77bbbda50806c3ef8798202

SHA1
60f8dcc7d9b66c3e15f5e876eebfef7c3f4c8252

SHA256
bbf40e99423c6a2813e253f059aa26a815b59465cadadd9fb6c82a73a1b66b68

SHA512
f70e5c25216fb8b0e9732b7b04088e6df985c840c3dec4c299a44c361fed50132e087ebca073846af91e219b94d10ab35ac4ffa7e60b34121a1f05cea10518c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cambo.ini

Filesize
29B

MD5
0b3728aec3cad4eeb5aae2c329dee47a

SHA1
583bb9a4c48f70a2cc98f58e72bfb535be2bec84

SHA256
6edf5f8d1c03ec18713e16c24fb5aeab092e4ed5dbcb14032b78dde4468d2a0a

SHA512
a94cf0380cc099b5b6d60f241fb38a05194378eb57b779e4c2edd5fadd7bf98c2720eefcd96f68480e23320e8ef81d52ed6fafcc7fcea40f3155e1ef31c6a4f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cambo.ini

Filesize
29B

MD5
a3919f5713ec1f45d480c949f32683c1

SHA1
c059b865a41cade1a95e32724452947eb2856a2b

SHA256
8078d635b9b0d9316156812da55d4f73ce92598766a2ed7abbadedb592339957

SHA512
b9ce88f067fa8f880188d9742addb532f8452f17175734479965e94786573deb0ca69127bc485b15141bb96483929751bf262e2130076c8a554a9c544bbcbb71

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cambo.ini

Filesize
29B

MD5
2add26d0c9ada6c994b4196936b955e4

SHA1
25548913f21cce791ff9afeb8922e1dd5592c5dc

SHA256
06e4a75bccc506a020691210e2f6ed041fee4680cb914048db7d305251f4e040

SHA512
334c5ce30e0d3cd91ade84ef2142ba08fba52a87a634b2a9dd3e2f79e70451104408adb6ca0aa1a087b5da67c1893275231c0918a43d63d44c85bf2df5c4285e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cambo.ini

Filesize
29B

MD5
64be7199fddf7c058ac2f56a39cd0578

SHA1
e69d20cf0d6e0a8c181d25918b9cc029cdf6635e

SHA256
005121ccd840186d234829fd07ed1cbb1c1e6d3db443dfdf642eb58435a46f30

SHA512
d392d3139b809805ce0ec551f46ee561468aa2e8181c5e1d4538b57330d5a3f6485058ddbd51d530b0c86a43bd31aa706f5ab2fda84aaf4239f0e5d69b337a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cambo.ini

Filesize
29B

MD5
cd4565c3fe18e1df214c7378df689212

SHA1
4158ab2a1b5252c7ab8844201f8708c38c56bf1c

SHA256
abf690d3db1f60ae2c67ca513a695ad75cef4c9d772ab13d7e88a558de68aa0c

SHA512
ce7346db6244a800c220141c5082ad4bd5259c99b898a85122271e4b314c59db2686578a31ab9ebcfac4000a254122473c74176ec3652ebf2ecff47e06e8ecea

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnA683.tmp\System.dll

Filesize
11KB

MD5
9625d5b1754bc4ff29281d415d27a0fd

SHA1
80e85afc5cccd4c0a3775edbb90595a1a59f5ce0

SHA256
c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448

SHA512
dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

Download Submit
memory/1676-191-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/1676-195-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/1676-198-0x0000000077341000-0x0000000077461000-memory.dmp

Filesize
1.1MB

Download
memory/1676-180-0x0000000001700000-0x00000000025BC000-memory.dmp

Filesize
14.7MB

Download
memory/1676-197-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/1676-182-0x00000000773C8000-0x00000000773C9000-memory.dmp

Filesize
4KB

Download
memory/1676-183-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/1676-184-0x00000000773E5000-0x00000000773E6000-memory.dmp

Filesize
4KB

Download
memory/1676-196-0x0000000001700000-0x00000000025BC000-memory.dmp

Filesize
14.7MB

Download
memory/5020-194-0x0000000004910000-0x00000000057CC000-memory.dmp

Filesize
14.7MB

Download
memory/5020-178-0x0000000077341000-0x0000000077461000-memory.dmp

Filesize
1.1MB

Download
memory/5020-177-0x0000000004910000-0x00000000057CC000-memory.dmp

Filesize
14.7MB

Download
memory/5020-181-0x0000000004910000-0x00000000057CC000-memory.dmp

Filesize
14.7MB

Download
memory/5020-179-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download