guloader | 1ed594cf043e2d668b317b459f232dc4fbe9d487b292a3d31af01d47ff8f6940

General

Target

INVOICE Med‮fdp.exe
Size

1.3MB
MD5

fdc3131b4d815e4ad668ede8d1253121
SHA1

de9d862086de79cceae300e7f9d16cb7bef2f72f
SHA256

1ed594cf043e2d668b317b459f232dc4fbe9d487b292a3d31af01d47ff8f6940
SHA512

4d3bd6c106d6853f3a971233bf77f351ddbedf41f1dc3fcd4969a6b63aa0d1c3a8fa40b4c0e54222675de4852b7f0122771b2e02501d0bc2432a2a59b57b4f15
SSDEEP

24576:UuDXTIGaPhEYzUzA0qr7lMaLBsw6oi0WO8K1/bMoyKoB10nv7gl:zDjlabwz9A1sw6oi0UeMoyjB10nDgl

Score

10^/10

guloader discovery downloader

Malware Config

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	INVOICE Med‮fdp.exe

Executes dropped EXE 1 IoCs

pid	Process
3156	Amperemeter.exe

Loads dropped DLL 2 IoCs

pid	Process
3156	Amperemeter.exe
1932	Amperemeter.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
25	drive.google.com
26	drive.google.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\tuberose.ini	Amperemeter.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1932	Amperemeter.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3156	Amperemeter.exe
1932	Amperemeter.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3156 set thread context of 1932	3156	Amperemeter.exe	90

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\caponizer.lnk	Amperemeter.exe
File opened for modification	C:\Program Files (x86)\Common Files\caponizer.lnk	Amperemeter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amperemeter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amperemeter.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x000b000000023b93-6.dat	nsis_installer_1
behavioral2/files/0x000b000000023b93-6.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1932	Amperemeter.exe
1932	Amperemeter.exe
1932	Amperemeter.exe
1932	Amperemeter.exe
1932	Amperemeter.exe
1932	Amperemeter.exe
1932	Amperemeter.exe
1932	Amperemeter.exe
1932	Amperemeter.exe
1932	Amperemeter.exe
1932	Amperemeter.exe
1932	Amperemeter.exe
1932	Amperemeter.exe
1932	Amperemeter.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3156	Amperemeter.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3352 wrote to memory of 3156	3352	INVOICE Med‮fdp.exe	82
PID 3352 wrote to memory of 3156	3352	INVOICE Med‮fdp.exe	82
PID 3352 wrote to memory of 3156	3352	INVOICE Med‮fdp.exe	82
PID 3156 wrote to memory of 1932	3156	Amperemeter.exe	90
PID 3156 wrote to memory of 1932	3156	Amperemeter.exe	90
PID 3156 wrote to memory of 1932	3156	Amperemeter.exe	90
PID 3156 wrote to memory of 1932	3156	Amperemeter.exe	90
PID 3156 wrote to memory of 1932	3156	Amperemeter.exe	90

C:\Users\Admin\AppData\Local\Temp\INVOICE Med‮fdp.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE Med‮fdp.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3352
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Amperemeter.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Amperemeter.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3156
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Amperemeter.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Amperemeter.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\caponizer.lnk

Filesize
1KB

MD5
2fbf6692d7197ef9892e9486de5cf43b

SHA1
b394bf2a34cb370db494f851549f37864bd09efd

SHA256
3e5f566bc0711e8ba037f30fc959aedf846ab2e3c06e3e6495e7b8bc4be5bac0

SHA512
0972502d98f058fdd5c6d7980e0535efeadb35cd32c2b4ee025e5c897569bc445503d89612c35e85a61b4298c808015d22426422e66216304a49fdbb293b0b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Amperemeter.exe

Filesize
869KB

MD5
958fe2bd131370ee23176eef0417e9d2

SHA1
3f3baee39d5bb79213ad61e54f387830426b4f97

SHA256
b703206700ec5f02b085926da0e7a39df8a40a14d1389767d3c14ec7f42e97f8

SHA512
1186217c7f3f9b20386e1c87289ed3e2a32b5dcb12323d1a7e06bb2029d3a4d3f3044ad2b1be151bc362b1ccaf8f8fb73b40eae65ec812667e9861e771f2a146

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvA059.tmp\System.dll

Filesize
11KB

MD5
b8992e497d57001ddf100f9c397fcef5

SHA1
e26ddf101a2ec5027975d2909306457c6f61cfbd

SHA256
98bcd1dd88642f4dd36a300c76ebb1ddfbbbc5bfc7e3b6d7435dc6d6e030c13b

SHA512
8823b1904dccfaf031068102cb1def7958a057f49ff369f0e061f1b4db2090021aa620bb8442a2a6ac9355bb74ee54371dc2599c20dc723755a46ede81533a3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvA059.tmp\elbilerne.lnk

Filesize
952B

MD5
dfa6ee180b41299846960b05dfa7ff9e

SHA1
8006c458ce0d68227773cc0999df8138430e113d

SHA256
c9c63a5d123d75bbef7f32c78edc338f39133c19ca0bed5478e512c9208dde4a

SHA512
b9250ea06c95d376342cda11f20f2572a8604617b91035d637e42aaf513fca45813fb513d8a76c0a9d2a72e023b0382cd9cf6ffc1529f9ba04365bd354cac17b

Download Submit
memory/1932-375-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1932-388-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1932-389-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3156-370-0x0000000003130000-0x0000000005D53000-memory.dmp

Filesize
44.1MB

Download
memory/3156-372-0x0000000003130000-0x0000000005D53000-memory.dmp

Filesize
44.1MB

Download
memory/3156-373-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download
memory/3156-374-0x0000000003130000-0x0000000005D53000-memory.dmp

Filesize
44.1MB

Download

Analysis

Sharing