guloader | 6ca31f97ab9de51d44d1fab3207f4b03ea9f09a282d29ae3d7537ff965211f47 | Triage

Sharing

General

Target

6ca31f97ab9de51d44d1fab3207f4b03ea9f09a282d29ae3d7537ff965211f47.vbs
Size

26KB
Sample

240608-bl91qaeh7y
MD5

ad1f9096929a1c7dee6bd63d6a8ab330
SHA1

1f0d1dbbfb49713f8c53dc798a14ebeb661e49dc
SHA256

6ca31f97ab9de51d44d1fab3207f4b03ea9f09a282d29ae3d7537ff965211f47
SHA512

2b26aed4c2bacb25bde5f1fc1de2c5c061a852cdc8156b4f2bd2a72f40ce664e6a5b40728ea3754aa2caa4d9a847be4fb173e2051ecb118562d17e372aba0c23
SSDEEP

384:9nZHk2uAn/wy4C56jf76Y/dMNMzkGYVBm2B80O:9nZE26CA76GdMiz1aZBHO

Score

10^/10

guloader downloader persistence

Malware Config

Targets

- Target
  
  6ca31f97ab9de51d44d1fab3207f4b03ea9f09a282d29ae3d7537ff965211f47.vbs
- Size
  
  26KB
- MD5
  
  ad1f9096929a1c7dee6bd63d6a8ab330
- SHA1
  
  1f0d1dbbfb49713f8c53dc798a14ebeb661e49dc
- SHA256
  
  6ca31f97ab9de51d44d1fab3207f4b03ea9f09a282d29ae3d7537ff965211f47
- SHA512
  
  2b26aed4c2bacb25bde5f1fc1de2c5c061a852cdc8156b4f2bd2a72f40ce664e6a5b40728ea3754aa2caa4d9a847be4fb173e2051ecb118562d17e372aba0c23
- SSDEEP
  
  384:9nZHk2uAn/wy4C56jf76Y/dMNMzkGYVBm2B80O:9nZE26CA76GdMiz1aZBHO
Score

10^/10

guloader downloader persistence
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

guloaderdownloaderpersistence

behavioral2

guloaderdownloaderpersistence