guloader | ae83f208925ec791bd10f37e0cd1bfc98473ea586c4814288a243c7d579c2e55 | Triage

Sharing

General

Target

20a43f57dc505ffac0da8b49d91fd322_JaffaCakes118
Size

152KB
Sample

241008-kql9wssame
MD5

20a43f57dc505ffac0da8b49d91fd322
SHA1

ee9132b380e1307a283dcca9a7e54fcf333aa4d6
SHA256

ae83f208925ec791bd10f37e0cd1bfc98473ea586c4814288a243c7d579c2e55
SHA512

c10d6dfec99f6b91235d7f619e12ef56d432faa36e53da9d4469dad87ad5206628992d2b7258b48d0e1dfa5a9d011cbd2f421bdd2d48f9c72ef11e45addea625
SSDEEP

3072:/xEJpxEqxE2wzTvvfQ+2U4gzEy2fAC4wrw9xEAxEKxEJ:pEJ7EAE2l3Dp6EmEgEJ

Score

10^/10

guloader discovery downloader

Malware Config

Targets

- Target
  
  20a43f57dc505ffac0da8b49d91fd322_JaffaCakes118
- Size
  
  152KB
- MD5
  
  20a43f57dc505ffac0da8b49d91fd322
- SHA1
  
  ee9132b380e1307a283dcca9a7e54fcf333aa4d6
- SHA256
  
  ae83f208925ec791bd10f37e0cd1bfc98473ea586c4814288a243c7d579c2e55
- SHA512
  
  c10d6dfec99f6b91235d7f619e12ef56d432faa36e53da9d4469dad87ad5206628992d2b7258b48d0e1dfa5a9d011cbd2f421bdd2d48f9c72ef11e45addea625
- SSDEEP
  
  3072:/xEJpxEqxE2wzTvvfQ+2U4gzEy2fAC4wrw9xEAxEKxEJ:pEJ7EAE2l3Dp6EmEgEJ
Score

10^/10

guloader discovery downloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

guloaderdiscoverydownloader

behavioral2

guloaderdiscoverydownloader