guloader | 1ed594cf043e2d668b317b459f232dc4fbe9d487b292a3d31af01d47ff8f6940

General

Target

INVOICE Med‮fdp.exe
Size

1.3MB
MD5

fdc3131b4d815e4ad668ede8d1253121
SHA1

de9d862086de79cceae300e7f9d16cb7bef2f72f
SHA256

1ed594cf043e2d668b317b459f232dc4fbe9d487b292a3d31af01d47ff8f6940
SHA512

4d3bd6c106d6853f3a971233bf77f351ddbedf41f1dc3fcd4969a6b63aa0d1c3a8fa40b4c0e54222675de4852b7f0122771b2e02501d0bc2432a2a59b57b4f15
SSDEEP

24576:UuDXTIGaPhEYzUzA0qr7lMaLBsw6oi0WO8K1/bMoyKoB10nv7gl:zDjlabwz9A1sw6oi0UeMoyjB10nDgl

Score

10^/10

guloader discovery downloader

Malware Config

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Executes dropped EXE 1 IoCs

pid	Process
2400	Amperemeter.exe

Loads dropped DLL 3 IoCs

pid	Process
2400	Amperemeter.exe
2400	Amperemeter.exe
2776	Amperemeter.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
5	drive.google.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\tuberose.ini	Amperemeter.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2776	Amperemeter.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2400	Amperemeter.exe
2776	Amperemeter.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2400 set thread context of 2776	2400	Amperemeter.exe	33

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\caponizer.lnk	Amperemeter.exe
File created	C:\Program Files (x86)\Common Files\caponizer.lnk	Amperemeter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amperemeter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amperemeter.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x000b000000016b47-7.dat	nsis_installer_1
behavioral1/files/0x000b000000016b47-7.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2776	Amperemeter.exe
2776	Amperemeter.exe
2776	Amperemeter.exe
2776	Amperemeter.exe
2776	Amperemeter.exe
2776	Amperemeter.exe
2776	Amperemeter.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2400	Amperemeter.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2400	2096	INVOICE Med‮fdp.exe	31
PID 2096 wrote to memory of 2400	2096	INVOICE Med‮fdp.exe	31
PID 2096 wrote to memory of 2400	2096	INVOICE Med‮fdp.exe	31
PID 2096 wrote to memory of 2400	2096	INVOICE Med‮fdp.exe	31
PID 2400 wrote to memory of 2776	2400	Amperemeter.exe	33
PID 2400 wrote to memory of 2776	2400	Amperemeter.exe	33
PID 2400 wrote to memory of 2776	2400	Amperemeter.exe	33
PID 2400 wrote to memory of 2776	2400	Amperemeter.exe	33
PID 2400 wrote to memory of 2776	2400	Amperemeter.exe	33
PID 2400 wrote to memory of 2776	2400	Amperemeter.exe	33

C:\Users\Admin\AppData\Local\Temp\INVOICE Med‮fdp.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE Med‮fdp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Amperemeter.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Amperemeter.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Amperemeter.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Amperemeter.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\caponizer.lnk

Filesize
1KB

MD5
2145e1bfa8f95ca27bb4cb228db56aad

SHA1
e0b246a86bf746dbc3c19c27d5a61a9ad7e2fd02

SHA256
33e3125c6cbff4a1a59b5e798b87e7e0065aa9e7676a262f1b72cba594249245

SHA512
109165944b9d07bec75f4b6e1157dd9bf3bf23fc60254d7622532ac393eaa3907b92ce400f5c71555b5d64a69b93839f5640e0eef3447a17b47b5773d48695ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Amperemeter.exe

Filesize
869KB

MD5
958fe2bd131370ee23176eef0417e9d2

SHA1
3f3baee39d5bb79213ad61e54f387830426b4f97

SHA256
b703206700ec5f02b085926da0e7a39df8a40a14d1389767d3c14ec7f42e97f8

SHA512
1186217c7f3f9b20386e1c87289ed3e2a32b5dcb12323d1a7e06bb2029d3a4d3f3044ad2b1be151bc362b1ccaf8f8fb73b40eae65ec812667e9861e771f2a146

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB869.tmp\elbilerne.lnk

Filesize
936B

MD5
73c45c3cbee6fdf0fdd9a5b7952ceaf8

SHA1
1e45c6c3ef89d09217c6e7950e6787023bb3f8c0

SHA256
60135b3f8125f243c01dbd359dc8c7ff1d459bc1bee44487310216039e770c61

SHA512
029ef6b641de645b6c200440a669d540b3acf5b637da27e8a1396fb5722212be6585d3de3bd9b7eb80450ae1a6a3c0b8d726a5fcfc661096a43eb1a0caef4804

Download Submit
\Users\Admin\AppData\Local\Temp\nsjB869.tmp\System.dll

Filesize
11KB

MD5
b8992e497d57001ddf100f9c397fcef5

SHA1
e26ddf101a2ec5027975d2909306457c6f61cfbd

SHA256
98bcd1dd88642f4dd36a300c76ebb1ddfbbbc5bfc7e3b6d7435dc6d6e030c13b

SHA512
8823b1904dccfaf031068102cb1def7958a057f49ff369f0e061f1b4db2090021aa620bb8442a2a6ac9355bb74ee54371dc2599c20dc723755a46ede81533a3c

Download Submit
memory/2096-4-0x00000000024D0000-0x00000000024E0000-memory.dmp

Filesize
64KB

Download
memory/2400-373-0x0000000077051000-0x0000000077152000-memory.dmp

Filesize
1.0MB

Download
memory/2400-372-0x0000000003630000-0x0000000006253000-memory.dmp

Filesize
44.1MB

Download
memory/2400-374-0x0000000003630000-0x0000000006253000-memory.dmp

Filesize
44.1MB

Download
memory/2400-375-0x0000000077050000-0x00000000771F9000-memory.dmp

Filesize
1.7MB

Download
memory/2400-378-0x0000000003630000-0x0000000006253000-memory.dmp

Filesize
44.1MB

Download
memory/2776-379-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2776-380-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2776-401-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download

Analysis

Sharing