guloader | 5fa45df110fa3297cf9a6b980f8a8183569ce96b511bbe7d9cef1491ccca2136

General

Target

PO# ROSIT MR2309040.exe
Size

761KB
MD5

9cca6c27ab4c2d57ffb57973de78658c
SHA1

961a879187aa8d7665cb00bbbfddcf67bce4172c
SHA256

051cb37b130a5af6e0fdcedbcbf67901e45baf9a99cf81e106b0e72e4ef2f6b9
SHA512

afca46b53e037e1872f4810c45ac0561bcef96b7dffc34bfd697082228934f66a5ea949b578a28f9d1e1b6ee4698e639dc2f4ed4769eec2aa9ad55382ba91461
SSDEEP

12288:Zgf3/HvEqA4wXuyo86ii63KnVdZsfZhgZ7q+V9qKWLZrEGg29fiuhx:83/PE0weyorI6nzOfZq7S+o9v

Score

10^/10

guloader downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 2 IoCs

pid	Process
2764	PO# ROSIT MR2309040.exe
2764	PO# ROSIT MR2309040.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2184	PO# ROSIT MR2309040.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2764	PO# ROSIT MR2309040.exe
2184	PO# ROSIT MR2309040.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2764 set thread context of 2184	2764	PO# ROSIT MR2309040.exe	30
PID 2184 set thread context of 1208	2184	PO# ROSIT MR2309040.exe	21
PID 2184 set thread context of 2004	2184	PO# ROSIT MR2309040.exe	33
PID 2004 set thread context of 1208	2004	help.exe	21

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\naah.Akt79	PO# ROSIT MR2309040.exe
File created	C:\Program Files (x86)\tribesmen.lnk	PO# ROSIT MR2309040.exe
File opened for modification	C:\Program Files (x86)\tribesmen.lnk	PO# ROSIT MR2309040.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\resources\0409\superline.Vrk218	PO# ROSIT MR2309040.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2184	PO# ROSIT MR2309040.exe
2184	PO# ROSIT MR2309040.exe
2184	PO# ROSIT MR2309040.exe
2184	PO# ROSIT MR2309040.exe
2184	PO# ROSIT MR2309040.exe
2184	PO# ROSIT MR2309040.exe
2184	PO# ROSIT MR2309040.exe
2184	PO# ROSIT MR2309040.exe
2004	help.exe
2004	help.exe
2004	help.exe
2004	help.exe
2004	help.exe
2004	help.exe
2004	help.exe
2004	help.exe
2004	help.exe
2004	help.exe
2004	help.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2764	PO# ROSIT MR2309040.exe
2184	PO# ROSIT MR2309040.exe
1208	Explorer.EXE
1208	Explorer.EXE
2004	help.exe
2004	help.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 2184	2764	PO# ROSIT MR2309040.exe	30
PID 2764 wrote to memory of 2184	2764	PO# ROSIT MR2309040.exe	30
PID 2764 wrote to memory of 2184	2764	PO# ROSIT MR2309040.exe	30
PID 2764 wrote to memory of 2184	2764	PO# ROSIT MR2309040.exe	30
PID 2764 wrote to memory of 2184	2764	PO# ROSIT MR2309040.exe	30
PID 2764 wrote to memory of 2184	2764	PO# ROSIT MR2309040.exe	30
PID 1208 wrote to memory of 2004	1208	Explorer.EXE	33
PID 1208 wrote to memory of 2004	1208	Explorer.EXE	33
PID 1208 wrote to memory of 2004	1208	Explorer.EXE	33
PID 1208 wrote to memory of 2004	1208	Explorer.EXE	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Users\Admin\AppData\Local\Temp\PO# ROSIT MR2309040.exe
  "C:\Users\Admin\AppData\Local\Temp\PO# ROSIT MR2309040.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Users\Admin\AppData\Local\Temp\PO# ROSIT MR2309040.exe
    "C:\Users\Admin\AppData\Local\Temp\PO# ROSIT MR2309040.exe"
    3⤵
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:2184
- C:\Windows\SysWOW64\help.exe
  "C:\Windows\SysWOW64\help.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\tribesmen.lnk

Filesize
994B

MD5
369fe95f362239e821084436ea31e1a2

SHA1
82aedd2fa9b81779a241645e1d2d11a5773e79b9

SHA256
c9e39001ae5d773a10dc0a132a4a13e649ab94b54474b97567b548d5ec2ee589

SHA512
d6c56559b9ba670f609cec6985fd510519705154fc6d5e4fd187a1da9571c3cd412f659edb0e34f46aaf2e60a6a8bea7f57f5769f8c4e37a4c89f3a252a7a9c4

Download Submit
\Users\Admin\AppData\Local\Temp\nsd9E15.tmp\System.dll

Filesize
11KB

MD5
a4dd044bcd94e9b3370ccf095b31f896

SHA1
17c78201323ab2095bc53184aa8267c9187d5173

SHA256
2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

SHA512
87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

Download Submit
memory/1208-48-0x0000000008A90000-0x0000000009C97000-memory.dmp

Filesize
18.0MB

Download
memory/1208-58-0x0000000008A90000-0x0000000009C97000-memory.dmp

Filesize
18.0MB

Download
memory/2004-60-0x0000000000570000-0x000000000060D000-memory.dmp

Filesize
628KB

Download
memory/2004-59-0x00000000000C0000-0x0000000000100000-memory.dmp

Filesize
256KB

Download
memory/2004-57-0x0000000000570000-0x000000000060D000-memory.dmp

Filesize
628KB

Download
memory/2004-56-0x00000000000C0000-0x0000000000100000-memory.dmp

Filesize
256KB

Download
memory/2004-54-0x0000000000B30000-0x0000000000E33000-memory.dmp

Filesize
3.0MB

Download
memory/2004-51-0x00000000000C0000-0x0000000000100000-memory.dmp

Filesize
256KB

Download
memory/2004-50-0x00000000000C0000-0x0000000000100000-memory.dmp

Filesize
256KB

Download
memory/2184-27-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2184-29-0x00000000775D6000-0x00000000775D7000-memory.dmp

Filesize
4KB

Download
memory/2184-31-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2184-55-0x0000000001470000-0x00000000036B5000-memory.dmp

Filesize
34.3MB

Download
memory/2184-32-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2184-34-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2184-35-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2184-36-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2184-37-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2184-38-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2184-39-0x0000000033750000-0x0000000033A53000-memory.dmp

Filesize
3.0MB

Download
memory/2184-40-0x00000000775A0000-0x0000000077676000-memory.dmp

Filesize
856KB

Download
memory/2184-47-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2184-30-0x0000000001470000-0x00000000036B5000-memory.dmp

Filesize
34.3MB

Download
memory/2184-49-0x00000000000C0000-0x00000000000DE000-memory.dmp

Filesize
120KB

Download
memory/2184-28-0x00000000773B0000-0x0000000077559000-memory.dmp

Filesize
1.7MB

Download
memory/2184-26-0x0000000001470000-0x00000000036B5000-memory.dmp

Filesize
34.3MB

Download
memory/2184-52-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2184-25-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2764-33-0x0000000003B30000-0x0000000005D75000-memory.dmp

Filesize
34.3MB

Download
memory/2764-24-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2764-23-0x00000000775A0000-0x0000000077676000-memory.dmp

Filesize
856KB

Download
memory/2764-22-0x00000000773B0000-0x0000000077559000-memory.dmp

Filesize
1.7MB

Download
memory/2764-21-0x0000000003B30000-0x0000000005D75000-memory.dmp

Filesize
34.3MB

Download
memory/2764-20-0x0000000003B30000-0x0000000005D75000-memory.dmp

Filesize
34.3MB

Download

Analysis

Sharing