guloader | 654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3

General

Target

654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe
Size

788KB
MD5

a328e5c2bfd461feb3e832f24264abbe
SHA1

d3397b8b8ff445ac3f7b27c12419ae8880b7ecd4
SHA256

654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3
SHA512

fb4a7a2b13000fc8955c9b5299a6f6b29d4ddb567fc1b04acc986d1e07522063416142cb3e9c270f8144a5aa35cd676def6eb1d73d65fe900d1154502c5d3bed
SSDEEP

24576:8opVCF2Ga2nhKzo2sKc+sPP9Sw21Iimv1GUvgk:8sCF2GpLVPowarmv1bR

Score

10^/10

guloader discovery downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 1 IoCs

Processes:

654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe

pid	Process
2780	654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe

pid	Process
1424	654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe

pid	Process
2780	654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe
1424	654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe

description	pid	Process	procid_target
PID 2780 set thread context of 1424	2780	654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe	31

Drops file in Program Files directory 2 IoCs

Processes:

654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\ordstreng\spright.aor	654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe
File opened for modification	C:\Program Files (x86)\flekstidernes.uns	654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe

Drops file in Windows directory 2 IoCs

Processes:

654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe

description	ioc	Process
File opened for modification	C:\Windows\glanes\skulapslangerne.bal	654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe
File opened for modification	C:\Windows\Dehorted.jil	654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
2684	1424	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe

pid	Process
1424	654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe

pid	Process
2780	654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe

description	pid	Process	procid_target
PID 2780 wrote to memory of 1424	2780	654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe	31
PID 2780 wrote to memory of 1424	2780	654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe	31
PID 2780 wrote to memory of 1424	2780	654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe	31
PID 2780 wrote to memory of 1424	2780	654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe	31
PID 2780 wrote to memory of 1424	2780	654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe	31
PID 2780 wrote to memory of 1424	2780	654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe	31
PID 1424 wrote to memory of 2684	1424	654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe	33
PID 1424 wrote to memory of 2684	1424	654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe	33
PID 1424 wrote to memory of 2684	1424	654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe	33
PID 1424 wrote to memory of 2684	1424	654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe	33

C:\Users\Admin\AppData\Local\Temp\654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe
"C:\Users\Admin\AppData\Local\Temp\654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Users\Admin\AppData\Local\Temp\654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe
  "C:\Users\Admin\AppData\Local\Temp\654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 660
    3⤵
    - Program crash
    PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\sexbombes.ini

Filesize
48B

MD5
020722cea174cdf2e504cdd0944e9935

SHA1
11efb296d9c118b4f7101173e0fd3e7927286dfc

SHA256
abf81fb4711b6f9b7ec09239c71a231876e85a9035d90385058f386d638f2f05

SHA512
72d4ab9ff93befd603c90fccb732a57f96ef0f0b66dab0ac6855e6a36314c6739b0d032162619cde1667e192591f502ecbdaf194dac5a10aeb2b302d851b1341

Download Submit
\Users\Admin\AppData\Local\Temp\nsoF440.tmp\System.dll

Filesize
11KB

MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae

SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b

SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

Download Submit
memory/1424-357-0x0000000077470000-0x0000000077619000-memory.dmp

Filesize
1.7MB

Download
memory/1424-355-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1424-358-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1424-361-0x0000000077470000-0x0000000077619000-memory.dmp

Filesize
1.7MB

Download
memory/1424-359-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2780-352-0x0000000003D60000-0x0000000004991000-memory.dmp

Filesize
12.2MB

Download
memory/2780-354-0x0000000077470000-0x0000000077619000-memory.dmp

Filesize
1.7MB

Download
memory/2780-353-0x0000000077471000-0x0000000077572000-memory.dmp

Filesize
1.0MB

Download
memory/2780-356-0x0000000003D60000-0x0000000004991000-memory.dmp

Filesize
12.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads