guloader | 3111cc3de9babb4f7fa375cdd32ef0f96f80c66e629843559fd05ac7461f479c

Sharing

Copy URL

Twitter E-mail

General

Target

9b00715d77438200a4f54fa8f47ac17aab0cc166e95fc6737c2a78021b69a64e.zip
Size

479KB
Sample

241008-yh2aqszbkk
MD5

9ec87de97820ba0d2cde1d703163021f
SHA1

535c84d1982044e5f5753134dc322557e84b4cba
SHA256

3111cc3de9babb4f7fa375cdd32ef0f96f80c66e629843559fd05ac7461f479c
SHA512

afadf0b8f18c7a2debae9310f14359b4b2713a0c2f7fd769165f950ba08ca4e20214b0a91acd3d43d10a43456aafc9e4c55a8d0f717f1a5a036e6bee10ea710d
SSDEEP

12288:mk/ZaCIf1IvudnO+xhRj8tg7DTFcvBN1dzb32mli8/zMAMdEK9dKc:rRaX1Iv2thnyvBN/b32m/oA0z

Score

10^/10

Malware Config

Targets

- Target
  
  9b00715d77438200a4f54fa8f47ac17aab0cc166e95fc6737c2a78021b69a64e.zip
- Size
  
  479KB
- MD5
  
  9ec87de97820ba0d2cde1d703163021f
- SHA1
  
  535c84d1982044e5f5753134dc322557e84b4cba
- SHA256
  
  3111cc3de9babb4f7fa375cdd32ef0f96f80c66e629843559fd05ac7461f479c
- SHA512
  
  afadf0b8f18c7a2debae9310f14359b4b2713a0c2f7fd769165f950ba08ca4e20214b0a91acd3d43d10a43456aafc9e4c55a8d0f717f1a5a036e6bee10ea710d
- SSDEEP
  
  12288:mk/ZaCIf1IvudnO+xhRj8tg7DTFcvBN1dzb32mli8/zMAMdEK9dKc:rRaX1Iv2thnyvBN/b32m/oA0z
Score

1^/10
behavioral1
- Target
  
  9b00715d77438200a4f54fa8f47ac17aab0cc166e95fc6737c2a78021b69a64e.exe
- Size
  
  618KB
- MD5
  
  18fb2cccaa9ac71624eaceada006e938
- SHA1
  
  a25055a3b29ce0ee64d7e20eccced0f72ec737db
- SHA256
  
  9b00715d77438200a4f54fa8f47ac17aab0cc166e95fc6737c2a78021b69a64e
- SHA512
  
  5828d7ee60e66afac8d3650930ed8556adc9693ab32ca872cc16f71382568baa471827cee1162393b7bce2c725965bd92377e7960225e43e00aef87754a2215d
- SSDEEP
  
  6144:SyI5s2239XH7ySqrVWOqnBRryl2sIgghQtUnQl8uFfKIn4jma8LIwJzSdfoVLg68:H22tH7L0kel2sInQDlxnPn906OLhsI
Score

10^/10

guloader discovery downloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  3f176d1ee13b0d7d6bd92e1c7a0b9bae
- SHA1
  
  fe582246792774c2c9dd15639ffa0aca90d6fd0b
- SHA256
  
  fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e
- SHA512
  
  0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6
- SSDEEP
  
  192:OPtkumJX7zB22kGwfy0mtVgkCPOsX1un:/702k5qpdsXQn
Score

3^/10

discovery
behavioral3
- Target
  
  Bagpaa.Mon
- Size
  
  433KB
- MD5
  
  882a0d458279279c786d38a56f20b77d
- SHA1
  
  010e3688fc482a7e98e8c60baffe73f57800ee77
- SHA256
  
  375d0775b3fd050c4ae89f99abe1c2d71697d3180b32537ec3dffc320f81e9c4
- SHA512
  
  d52d469138e7fcd0b392eb8964e624e6fc0d60f23653b30827ac19bbcff7d62968d4692ccfbdda57e3d8cd42cfa1bf791321dd6436f48c1c9c4bec428a8330c0
- SSDEEP
  
  3072:BGo1P6b7nn68mltqdZl30ciddrEHJsP2JC:BGQP6b7npmTsp0c0RSJa2JC
Score

3^/10
behavioral4
- Target
  
  Condign.Str
- Size
  
  218KB
- MD5
  
  afd211403054996bd48e1a48ac7f7fe2
- SHA1
  
  9eabf5e146f2fca57906e46b81012f6b3ca02157
- SHA256
  
  1211392b8b3d61cf8ed4dbed0ad6ff93ae608faa1e9b124a55b60d33ab281a9d
- SHA512
  
  6c3a43a1b18d341357e902e317fcbda55284c34339ddf3e6fbd03481a92aa86d49794f5a7af488cf29c7d459c2f67bc78ebd5cd0500b55f34823681c5d636ff4
- SSDEEP
  
  6144:Qsi43bNkvibXjg2tgcFhhOGwcjuYpj1CbTD:A43byvib0spDhO/Muq1WD
Score

3^/10
behavioral5
- Target
  
  alsmekill.sta
- Size
  
  331KB
- MD5
  
  f6a8488b1b62b7ac3b0979c8fbeabb30
- SHA1
  
  9725896ebc26ccb2cb9060640b9e0d4a0618916f
- SHA256
  
  34dc9b70d0ce5223a531e499611f1208f3ae85aaef9973fc27e89190568f8ee2
- SHA512
  
  88a719685d0972290632c6b5a665184e79a98be22b76af28f18056f2e7a721a0b2d3b4a8815bce562426643e69f998f9e45f3ca62b3288eaafb71fe89a23ad20
- SSDEEP
  
  1536:JwpZQcXbJ+mf8ME8s+dg5Z90uGaXF9Pl7:W4cX8ncmxhGm
Score

3^/10
behavioral6
- Target
  
  boat.ast
- Size
  
  445KB
- MD5
  
  9911b32fe219697a738f39ae5766b512
- SHA1
  
  da67ebb043c778deea874e1c746483a2b65e533c
- SHA256
  
  1d3d52ecb41f725dc23080acb1acdfedf29bb5f167dcb75f89af837888421880
- SHA512
  
  fbf703cd56434bb14c6a1a34878f094be183d9f638d0f34074f7ee4c9d12db70a833679b496fcb1e4c6050c418a906221149aac70035bcda3c01d4272c0fe3e8
- SSDEEP
  
  768:WqBSYr/TzktUI9ql+6iD8iDu43pfrmQ+PHlyjwkZY51UG90JdfSDUsby4/FApmbO:I3TS9ymKhysrQEkRbwvL3xcbNyFN2Mv
Score

3^/10
behavioral7
- Target
  
  rupis.txt
- Size
  
  276B
- MD5
  
  668a01d3af55a42fbfdbb1e9dd730b59
- SHA1
  
  e0949d489a15516b3cd09f1043543c38e3688f1a
- SHA256
  
  6a7feebfe1f4330e611e6e1b3804619d329a9d3abd3a3ecbd9d441f884e9999d
- SHA512
  
  cf3f03583667362adcea4deb094513b84d3e275ebcc42a993f9293b7374618a1ba060d4c4bae446c02b329dde2a4579c152f54a1f7537a0f83a3e88406509459
Score

1^/10
behavioral8

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Guloader,Cloudeye

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8