guloader | f2d8703d0b3ec39872caf5d17b2dd6258e73b2b87923524dec5a9f86d343589b | Triage

Sharing

General

Target

f2d8703d0b3ec39872caf5d17b2dd6258e73b2b87923524dec5a9f86d343589b.vbs
Size

278KB
Sample

240419-cmkmwsfa2w
MD5

180a5b7cf2e35e007a1e0044061cd2b2
SHA1

d5c71006c6e401a04c670d847d9d0d9f8d919798
SHA256

f2d8703d0b3ec39872caf5d17b2dd6258e73b2b87923524dec5a9f86d343589b
SHA512

c9fe962710bb23bc0a2cfdcb7ec2ba5f00396d429f5026cd083d45e398790923829304378ea735dd8205cd82d88757d504e55b7f0bb671f9ca4a9d2444cd3819
SSDEEP

6144:LwdAYDLBLW+8A1ytW3xrbjsSFuHeEC57kdmXl45zaoGGqAP3MQ9scOdy8TeJ15UL:EnS2Imc7J15kAl6

Score

10^/10

guloader downloader

Malware Config

Targets

- Target
  
  f2d8703d0b3ec39872caf5d17b2dd6258e73b2b87923524dec5a9f86d343589b.vbs
- Size
  
  278KB
- MD5
  
  180a5b7cf2e35e007a1e0044061cd2b2
- SHA1
  
  d5c71006c6e401a04c670d847d9d0d9f8d919798
- SHA256
  
  f2d8703d0b3ec39872caf5d17b2dd6258e73b2b87923524dec5a9f86d343589b
- SHA512
  
  c9fe962710bb23bc0a2cfdcb7ec2ba5f00396d429f5026cd083d45e398790923829304378ea735dd8205cd82d88757d504e55b7f0bb671f9ca4a9d2444cd3819
- SSDEEP
  
  6144:LwdAYDLBLW+8A1ytW3xrbjsSFuHeEC57kdmXl45zaoGGqAP3MQ9scOdy8TeJ15UL:EnS2Imc7J15kAl6
Score

10^/10

guloader downloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

guloaderdownloader

behavioral2

guloaderdownloader