guloader | 654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3

General

Target

654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe
Size

788KB
MD5

a328e5c2bfd461feb3e832f24264abbe
SHA1

d3397b8b8ff445ac3f7b27c12419ae8880b7ecd4
SHA256

654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3
SHA512

fb4a7a2b13000fc8955c9b5299a6f6b29d4ddb567fc1b04acc986d1e07522063416142cb3e9c270f8144a5aa35cd676def6eb1d73d65fe900d1154502c5d3bed
SSDEEP

24576:8opVCF2Ga2nhKzo2sKc+sPP9Sw21Iimv1GUvgk:8sCF2GpLVPowarmv1bR

Score

10^/10

guloader discovery downloader

Malware Config

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 1 IoCs

Processes:

654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe

pid	Process
1788	654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe

pid	Process
1788	654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe
3564	654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe

description	pid	Process	procid_target
PID 1788 set thread context of 3564	1788	654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe	85

Drops file in Program Files directory 2 IoCs

Processes:

654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\ordstreng\spright.aor	654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe
File opened for modification	C:\Program Files (x86)\flekstidernes.uns	654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe

Drops file in Windows directory 2 IoCs

Processes:

654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe

description	ioc	Process
File opened for modification	C:\Windows\glanes\skulapslangerne.bal	654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe
File opened for modification	C:\Windows\Dehorted.jil	654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe

pid	Process
1788	654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe

description	pid	Process	procid_target
PID 1788 wrote to memory of 3564	1788	654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe	85
PID 1788 wrote to memory of 3564	1788	654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe	85
PID 1788 wrote to memory of 3564	1788	654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe	85
PID 1788 wrote to memory of 3564	1788	654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe	85
PID 1788 wrote to memory of 3564	1788	654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe	85

C:\Users\Admin\AppData\Local\Temp\654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe
"C:\Users\Admin\AppData\Local\Temp\654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Users\Admin\AppData\Local\Temp\654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe
  "C:\Users\Admin\AppData\Local\Temp\654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:3564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nslAF3D.tmp\System.dll

Filesize
11KB

MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae

SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b

SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

Download Submit
C:\Users\Admin\Desktop\sexbombes.ini

Filesize
48B

MD5
020722cea174cdf2e504cdd0944e9935

SHA1
11efb296d9c118b4f7101173e0fd3e7927286dfc

SHA256
abf81fb4711b6f9b7ec09239c71a231876e85a9035d90385058f386d638f2f05

SHA512
72d4ab9ff93befd603c90fccb732a57f96ef0f0b66dab0ac6855e6a36314c6739b0d032162619cde1667e192591f502ecbdaf194dac5a10aeb2b302d851b1341

Download Submit
memory/1788-351-0x00000000041A0000-0x0000000004DD1000-memory.dmp

Filesize
12.2MB

Download
memory/1788-352-0x0000000077A51000-0x0000000077B71000-memory.dmp

Filesize
1.1MB

Download
memory/1788-353-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download
memory/1788-354-0x00000000041A0000-0x0000000004DD1000-memory.dmp

Filesize
12.2MB

Download
memory/3564-355-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3564-356-0x0000000001660000-0x0000000002291000-memory.dmp

Filesize
12.2MB

Download
memory/3564-357-0x0000000077AD8000-0x0000000077AD9000-memory.dmp

Filesize
4KB

Download
memory/3564-358-0x0000000077AF5000-0x0000000077AF6000-memory.dmp

Filesize
4KB

Download
memory/3564-359-0x0000000001660000-0x0000000002291000-memory.dmp

Filesize
12.2MB

Download
memory/3564-361-0x0000000077A51000-0x0000000077B71000-memory.dmp

Filesize
1.1MB

Download
memory/3564-360-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads