guloader | c8e41c717befab77f5b7a3641bc1f6c0832f9f8e80d30873be1a888e5bfaf7a8 | Triage

Sharing

General

Target

44606c062b149f83d21924f606e201fd_JaffaCakes118
Size

19KB
Sample

240729-nwl3vsxapm
MD5

44606c062b149f83d21924f606e201fd
SHA1

8ebd7ee687d6cfd5c1a1b73d3a5045e9804870f5
SHA256

c8e41c717befab77f5b7a3641bc1f6c0832f9f8e80d30873be1a888e5bfaf7a8
SHA512

6f217f81f91c3808b70704e2262f0d86c708c9e590cbe395ebc8cfd024063baaa75ca1937e7a6899e93a266cf886726b17bb30f24a39d7e48ae4788255c27c5a
SSDEEP

384:0ZeJYoOvTJ7IrJUBGQaaztPibUXYTP1QXpDRlw/Tum6TTOhy5:DJyvTFIrJYaakbUHXdEKPTTSy5

Score

10^/10

guloader discovery downloader

Malware Config

Extracted

Family

guloader

C2

https://drive.google.com/uc?export=download&id=1LmyqIluFJ5HoNT0VjWSvtPFmVfK-cvxy

xor.base64

Targets

- Target
  
  CEMENTOS-DOC.exe
- Size
  
  60KB
- MD5
  
  b7974ace4e5436770ce9b63a315fab68
- SHA1
  
  43aed757f4864e1fab98d88faf690d84435d036e
- SHA256
  
  994655b2cfd0979f7b96ae1f4423510633a82adf92fa6486dfd2f3243e96618d
- SHA512
  
  287938f69f46de39ceeb2bc078dbc6b6e0850f0ad0df676717bd0dba31ae1be4492dbf584c3c816ef7368a1eb01b5ddcbabee7341efc8cfb66fd1503008927cd
- SSDEEP
  
  768:CZZ3hCu+e5MxzVZpXEewlIAc9BRYxLznw72c:0rCupIZZFrWIbW/c
Score

10^/10

guloader discovery downloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

guloaderdiscoverydownloader

behavioral2

guloaderdiscoverydownloader