guloader | dbaf0103b94b49370b87cfdf0feb19811e3373da314b065d8068fab0bc003fde | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

1

dbaf0103b9...de.vbs

windows7-x64

dbaf0103b9...de.vbs

windows10-2004-x64

Sharing

General

Target

dbaf0103b94b49370b87cfdf0feb19811e3373da314b065d8068fab0bc003fde.vbs
Size

25KB
Sample

240608-b1hvsafc2z
MD5

e21aac072a10d80842d362743e1ffa59
SHA1

d8b3aeffe2eedc17e06bafecd26b603c6a8908b9
SHA256

dbaf0103b94b49370b87cfdf0feb19811e3373da314b065d8068fab0bc003fde
SHA512

7046ea4afb9ce9b490bf4fd7f2db533bded2eefc88dc64a80809f5e7fef6d184b2259a15cb06f6f1ebb92dcbd1a9b5f8d471ae1201557d07075827ad2a7ffa78
SSDEEP

384:r0Dk2uAnMKYHzkvaZGxeecfCPNPh7ZbIxUXGDZ6SMTXJ7pZXi7m4d4ud0oekM25z:r0o2/YHocW9ZUxa6K5i5B75aFzoWLv3K

Score

10^/10

guloader downloader

Static task

static1

Behavioral task

behavioral1

Sample

dbaf0103b94b49370b87cfdf0feb19811e3373da314b065d8068fab0bc003fde.vbs

Resource

win7-20240508-en

guloader downloader

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

dbaf0103b94b49370b87cfdf0feb19811e3373da314b065d8068fab0bc003fde.vbs

Resource

win10v2004-20240508-en

guloader downloader

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Targets

- Target
  
  dbaf0103b94b49370b87cfdf0feb19811e3373da314b065d8068fab0bc003fde.vbs
- Size
  
  25KB
- MD5
  
  e21aac072a10d80842d362743e1ffa59
- SHA1
  
  d8b3aeffe2eedc17e06bafecd26b603c6a8908b9
- SHA256
  
  dbaf0103b94b49370b87cfdf0feb19811e3373da314b065d8068fab0bc003fde
- SHA512
  
  7046ea4afb9ce9b490bf4fd7f2db533bded2eefc88dc64a80809f5e7fef6d184b2259a15cb06f6f1ebb92dcbd1a9b5f8d471ae1201557d07075827ad2a7ffa78
- SSDEEP
  
  384:r0Dk2uAnMKYHzkvaZGxeecfCPNPh7ZbIxUXGDZ6SMTXJ7pZXi7m4d4ud0oekM25z:r0o2/YHocW9ZUxa6K5i5B75aFzoWLv3K
Score

10^/10

guloader downloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

guloaderdownloader

behavioral2

guloaderdownloader

© 2018-2025

Terms | Privacy