guloader | b073ae4a0ecc5af2e1e13862e97aa242768fe6f3ce1a0eb5bce474be65a5a0a7

General

Target

Stolprende.exe
Size

685KB
MD5

900a0eb54d29bc61da63381e7920e5e8
SHA1

8159aeac02faa944e109d86abd3b020fa51e4907
SHA256

b073ae4a0ecc5af2e1e13862e97aa242768fe6f3ce1a0eb5bce474be65a5a0a7
SHA512

606f1231e11fdfabf849edd81d3f6cf43552b3b602c25009d51dbbef624aa37703aa41c9b6cab61effa00e37d8d4eac759934aeb38e9bfc9feec2d47cea988c0
SSDEEP

12288:cDq0UuJqoEQg42Gu/UlGxncCX49maysm46FPwU0TvGvpvIY/:cOpuJqotcDNsWL9FP6ypvD

Score

10^/10

guloader downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 1 IoCs

pid	Process
3004	Stolprende.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	drive.google.com
5	drive.google.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\sdeliges.hav	Stolprende.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1676	Stolprende.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3004	Stolprende.exe
1676	Stolprende.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3004 set thread context of 1676	3004	Stolprende.exe	29
PID 1676 set thread context of 1192	1676	Stolprende.exe	21
PID 1676 set thread context of 1700	1676	Stolprende.exe	34
PID 1700 set thread context of 1192	1700	fontview.exe	21

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\sulidae.imp	Stolprende.exe
File opened for modification	C:\Program Files (x86)\Common Files\hidse.inc	Stolprende.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\resources\0409\Keypads\bundproppernes.Goy182	Stolprende.exe
File opened for modification	C:\Windows\indgiv.syd	Stolprende.exe
File opened for modification	C:\Windows\afrits.ini	Stolprende.exe
File opened for modification	C:\Windows\Fonts\Commodores69.ryk	Stolprende.exe
File opened for modification	C:\Windows\resources\lejlighedsdigtes\isosmotically.pin	Stolprende.exe
File opened for modification	C:\Windows\resources\braknses\overvejende.myo	Stolprende.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1676	Stolprende.exe
1676	Stolprende.exe
1676	Stolprende.exe
1676	Stolprende.exe
1676	Stolprende.exe
1676	Stolprende.exe
1676	Stolprende.exe
1676	Stolprende.exe
1700	fontview.exe
1700	fontview.exe
1700	fontview.exe
1700	fontview.exe
1700	fontview.exe
1700	fontview.exe
1700	fontview.exe
1700	fontview.exe
1700	fontview.exe
1700	fontview.exe
1700	fontview.exe
1700	fontview.exe
1700	fontview.exe
1700	fontview.exe
1700	fontview.exe
1700	fontview.exe
1700	fontview.exe
1700	fontview.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
3004	Stolprende.exe
1676	Stolprende.exe
1676	Stolprende.exe
1700	fontview.exe
1700	fontview.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1192	Explorer.EXE

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 1676	3004	Stolprende.exe	29
PID 3004 wrote to memory of 1676	3004	Stolprende.exe	29
PID 3004 wrote to memory of 1676	3004	Stolprende.exe	29
PID 3004 wrote to memory of 1676	3004	Stolprende.exe	29
PID 3004 wrote to memory of 1676	3004	Stolprende.exe	29
PID 3004 wrote to memory of 1676	3004	Stolprende.exe	29
PID 1676 wrote to memory of 1700	1676	Stolprende.exe	34
PID 1676 wrote to memory of 1700	1676	Stolprende.exe	34
PID 1676 wrote to memory of 1700	1676	Stolprende.exe	34
PID 1676 wrote to memory of 1700	1676	Stolprende.exe	34

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
PID:1192
- C:\Users\Admin\AppData\Local\Temp\Stolprende.exe
  "C:\Users\Admin\AppData\Local\Temp\Stolprende.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Users\Admin\AppData\Local\Temp\Stolprende.exe
    "C:\Users\Admin\AppData\Local\Temp\Stolprende.exe"
    3⤵
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1676
  - - C:\Windows\SysWOW64\fontview.exe
      "C:\Windows\SysWOW64\fontview.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:1700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nso15D3.tmp\System.dll

Filesize
11KB

MD5
9625d5b1754bc4ff29281d415d27a0fd

SHA1
80e85afc5cccd4c0a3775edbb90595a1a59f5ce0

SHA256
c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448

SHA512
dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

Download Submit
memory/1676-148-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1676-142-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1676-152-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1676-113-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1676-114-0x00000000770F0000-0x0000000077299000-memory.dmp

Filesize
1.7MB

Download
memory/1676-143-0x00000000770F0000-0x0000000077299000-memory.dmp

Filesize
1.7MB

Download
memory/1676-116-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1676-139-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1700-150-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/1700-153-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/3004-111-0x00000000770F1000-0x00000000771F2000-memory.dmp

Filesize
1.0MB

Download
memory/3004-115-0x0000000004080000-0x0000000004C67000-memory.dmp

Filesize
11.9MB

Download
memory/3004-140-0x0000000004080000-0x0000000004C67000-memory.dmp

Filesize
11.9MB

Download
memory/3004-110-0x0000000004080000-0x0000000004C67000-memory.dmp

Filesize
11.9MB

Download
memory/3004-112-0x00000000770F0000-0x0000000077299000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing