guloader | f693c8b77350a926172ea22f3447fd74071cfb014344f29234348704f880e3c2

General

Target

PO No. 0146850827805 HSP00598420.exe
Size

1.1MB
MD5

be8f9aeb5caa110946c26b51073394c2
SHA1

aef14aba6b6e241b2e1b30ec79426cd070b1c421
SHA256

f693c8b77350a926172ea22f3447fd74071cfb014344f29234348704f880e3c2
SHA512

20f1dcd5f3810d823cda6ba627a9c8b004c275f704d571d491fca947ace5e4866aa1cb67c35aabb7ee5d99c31f6af7428c94c843117daae550c31efc7fc49054
SSDEEP

24576:x4nhDoAFKhX4McljuqV+XcFpQBNFE5dZNXLGQ7WczkxFnfbP90:x+hkl1CVuS4n5EtNXKQKczg2

Score

10^/10

guloader discovery downloader

Malware Config

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 1 IoCs

pid	Process
2384	PO No. 0146850827805 HSP00598420.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
5	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1580	PO No. 0146850827805 HSP00598420.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2384	PO No. 0146850827805 HSP00598420.exe
1580	PO No. 0146850827805 HSP00598420.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2384 set thread context of 1580	2384	PO No. 0146850827805 HSP00598420.exe	30

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\brisantgranatens\baegersvamp.For	PO No. 0146850827805 HSP00598420.exe
File opened for modification	C:\Program Files (x86)\Common Files\Azonic255\lithoclase.ini	PO No. 0146850827805 HSP00598420.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PO No. 0146850827805 HSP00598420.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PO No. 0146850827805 HSP00598420.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1580	PO No. 0146850827805 HSP00598420.exe
1580	PO No. 0146850827805 HSP00598420.exe
1580	PO No. 0146850827805 HSP00598420.exe
1580	PO No. 0146850827805 HSP00598420.exe
1580	PO No. 0146850827805 HSP00598420.exe
1580	PO No. 0146850827805 HSP00598420.exe
1580	PO No. 0146850827805 HSP00598420.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2384	PO No. 0146850827805 HSP00598420.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 1580	2384	PO No. 0146850827805 HSP00598420.exe	30
PID 2384 wrote to memory of 1580	2384	PO No. 0146850827805 HSP00598420.exe	30
PID 2384 wrote to memory of 1580	2384	PO No. 0146850827805 HSP00598420.exe	30
PID 2384 wrote to memory of 1580	2384	PO No. 0146850827805 HSP00598420.exe	30
PID 2384 wrote to memory of 1580	2384	PO No. 0146850827805 HSP00598420.exe	30
PID 2384 wrote to memory of 1580	2384	PO No. 0146850827805 HSP00598420.exe	30

C:\Users\Admin\AppData\Local\Temp\PO No. 0146850827805 HSP00598420.exe
"C:\Users\Admin\AppData\Local\Temp\PO No. 0146850827805 HSP00598420.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Local\Temp\PO No. 0146850827805 HSP00598420.exe
  "C:\Users\Admin\AppData\Local\Temp\PO No. 0146850827805 HSP00598420.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nst9BB5.tmp\System.dll

Filesize
12KB

MD5
d6f54d2cefdf58836805796f55bfc846

SHA1
b980addc1a755b968dd5799179d3b4f1c2de9d2d

SHA256
f917aef484d1fbb4d723b2e2d3045cb6f5f664e61fbb3d5c577bd1c215de55d9

SHA512
ce67da936a93d46ef7e81abc8276787c82fd844c03630ba18afc3528c7e420c3228bfe82aeda083bb719f2d1314afae913362abd1e220cb364606519690d45db

Download Submit
memory/1580-21-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1580-22-0x00000000772B0000-0x0000000077459000-memory.dmp

Filesize
1.7MB

Download
memory/1580-23-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1580-44-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1580-45-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1580-51-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2384-16-0x0000000003BD0000-0x000000000622C000-memory.dmp

Filesize
38.4MB

Download
memory/2384-17-0x00000000772B1000-0x00000000773B2000-memory.dmp

Filesize
1.0MB

Download
memory/2384-19-0x00000000772B0000-0x0000000077459000-memory.dmp

Filesize
1.7MB

Download
memory/2384-18-0x0000000003BD0000-0x000000000622C000-memory.dmp

Filesize
38.4MB

Download
memory/2384-20-0x0000000003BD0000-0x000000000622C000-memory.dmp

Filesize
38.4MB

Download

Analysis

Sharing