guloader | d7d478e5d58684d5842ac05e5ca9f094266d5583aafc7ba280124d114943af89

General

Target

22082024110122082024waybilloriginalinvoiceblpackinglistshipment2208202400000pdf.7z
Size

66KB
Sample

240822-pcwcvswdqb
MD5

eba9f676eb9e59df0ae484e5e247f04d
SHA1

9e52454ed4aebcfd543fad33f4abdd55e6f61327
SHA256

d7d478e5d58684d5842ac05e5ca9f094266d5583aafc7ba280124d114943af89
SHA512

b2149b3210d455987dfcd532e8405548eb8dbc86f1f05958d5c2f3faf0decaf7cccea42dac090d1208abf99471c8b8612ded44fe9a8f63288fa2474ef6353379
SSDEEP

1536:eS94LxNAlwsRtUuq2eHSSEK/tthddjiugGetCDTj06ixhhKSW9ubKY8:IxsRO/HX/ttDd8CDTjrixm9OB8

Score

10^/10

Malware Config

Targets

- Target
  
  waybill_original_invoice_bl_packing_list_shipment_22_08_2024_00000_pdf.vbs
- Size
  
  134KB
- MD5
  
  597c7745de1949be25d9c4849aa11cb7
- SHA1
  
  e2001dadfe1233b12c11b8cc1954f9183633a4fb
- SHA256
  
  31fc0e3296a248e9957c62e4060c92b895ca6ebb0a828e00ab7ef3608c498fb4
- SHA512
  
  7bb22bc64793ec32363fc409f38830fc101222239a4ee58a97cbfcc00d19a06a5da5a18c3eead92f04f5a3c52505bdb2883f542479858dc2b84653d96d28c2ce
- SSDEEP
  
  3072:FjGO63YDSdYB51Gy/ABuIWHwxoH0sHXaHb0bIkNTEx29Ojmplsz:NGO63WSdYB51Gy/quNHwaHdHqHb0bIko
Score

10^/10

guloader discovery downloader execution persistence collection credential_access defense_evasion privilege_escalation stealer
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2