guloader | 09631538f6dad33f7a400df7e0338b117c36031df2019576c314ee3e57e5b42f | Triage

Sharing

General

Target

c9588e5d9db72f846f40635fc3b7bd9e_JaffaCakes118
Size

30KB
Sample

240829-wrg74swdlr
MD5

c9588e5d9db72f846f40635fc3b7bd9e
SHA1

23912578ee29ce30e6fe54a8a5945d2fbdca3e1f
SHA256

09631538f6dad33f7a400df7e0338b117c36031df2019576c314ee3e57e5b42f
SHA512

bbefc2964e449b4c97075b0cc9e2ca9a8fc0e53b2179dd5d7b1960c68039a266b34ea2ba0ba458682657a7ad9e18764086781195ef75043ca78b05e617fa882b
SSDEEP

768:UZS1JBnLLI3DleMkV+U42yrZh343cW+XdQYbRlpjdU:UZoJ90TDkH4lrZhdW+NzA

Score

10^/10

guloader discovery downloader

Malware Config

Extracted

Family

guloader

C2

https://drive.google.com/uc?export=download&id=1j83rG290csClfgpn9KyBz4qM42B1dx2W

Targets

- Target
  
  ArcelorMittal Trading - ARMT#4562198.exe
- Size
  
  120KB
- MD5
  
  04a2e456c4d65d43e9217eac7d90f9cb
- SHA1
  
  42320cbab30a997244f3aa370f28ee8fb425efb5
- SHA256
  
  154c8ad4fe041cb711c139005c210a63f15c3c030cab34e358256c4375a06aba
- SHA512
  
  f25cb6e5ed0cf45e084576dec7f8ad53cdca44796c59552ee025fe17871754c9d1419a0a436e0c57ef9fccb675dd55de3b9d9b0ecb9a99ba0ae48f1611c58266
- SSDEEP
  
  768:u3YiUCYV5XSEN95IQtkvQhHv1TfXRjMWzeIBglpbmAFDEF2HnA8iyB:u3YiJYVlLIW5RjoTlpyAa8ArU
Score

10^/10

guloader discovery downloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

guloaderdiscoverydownloader

behavioral2

guloaderdiscoverydownloader