guloader | b3cc4e1f09aa77a31e7071f2a505bfe5f13f9ec3cb73997b0d4a5ac36fc710fa

Analysis

max time kernel
151s
max time network
161s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
24-12-2024 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BL-INVOICE SHIPPING DOCS.exe
Size

188KB
MD5

cc8150c1885727315c860476ce8ebae0
SHA1

dbca815ec369cff43692a34d84be2a360589e78f
SHA256

a4abc0bc968eada66e95fe7b0812f4cb11838f77fed0d2d46e4be0071284e725
SHA512

e8dbc4d502585596c5ac9464e43b903499d7ec4fb5784e0bca3f581f4e249bc8c15bff5f5eb3588cface35ff8e72991f097f826895688f22bd1e643ef9ef74f3
SSDEEP

3072:JrJRUvveVOHX1ZaGDYxF0qrUvveVOHX1ZaGDruz:1JuvmV2X14GDaF0tvmV2X14GDru

Score

10^/10

guloader discovery downloader guloader

Malware Config

Extracted

Family

guloader

https://drive.google.com/uc?export=download&id=1q-1xTD9weiWyiJIbO51ubhF470YCiWrW

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Guloader payload 1 IoCs

guloader

resource	yara_rule
behavioral23/memory/2448-2-0x0000000000280000-0x000000000028A000-memory.dmp	family_guloader

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	drive.google.com
5	drive.google.com

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2448	BL-INVOICE SHIPPING DOCS.exe
2984	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2448 set thread context of 2984	2448	BL-INVOICE SHIPPING DOCS.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BL-INVOICE SHIPPING DOCS.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2448	BL-INVOICE SHIPPING DOCS.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2448	BL-INVOICE SHIPPING DOCS.exe
2448	BL-INVOICE SHIPPING DOCS.exe
2448	BL-INVOICE SHIPPING DOCS.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2448	BL-INVOICE SHIPPING DOCS.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2960	2448	BL-INVOICE SHIPPING DOCS.exe	29
PID 2448 wrote to memory of 2960	2448	BL-INVOICE SHIPPING DOCS.exe	29
PID 2448 wrote to memory of 2960	2448	BL-INVOICE SHIPPING DOCS.exe	29
PID 2448 wrote to memory of 2960	2448	BL-INVOICE SHIPPING DOCS.exe	29
PID 2448 wrote to memory of 2960	2448	BL-INVOICE SHIPPING DOCS.exe	29
PID 2448 wrote to memory of 2960	2448	BL-INVOICE SHIPPING DOCS.exe	29
PID 2448 wrote to memory of 2960	2448	BL-INVOICE SHIPPING DOCS.exe	29
PID 2448 wrote to memory of 2956	2448	BL-INVOICE SHIPPING DOCS.exe	30
PID 2448 wrote to memory of 2956	2448	BL-INVOICE SHIPPING DOCS.exe	30
PID 2448 wrote to memory of 2956	2448	BL-INVOICE SHIPPING DOCS.exe	30
PID 2448 wrote to memory of 2956	2448	BL-INVOICE SHIPPING DOCS.exe	30
PID 2448 wrote to memory of 2956	2448	BL-INVOICE SHIPPING DOCS.exe	30
PID 2448 wrote to memory of 2956	2448	BL-INVOICE SHIPPING DOCS.exe	30
PID 2448 wrote to memory of 2956	2448	BL-INVOICE SHIPPING DOCS.exe	30
PID 2448 wrote to memory of 2984	2448	BL-INVOICE SHIPPING DOCS.exe	31
PID 2448 wrote to memory of 2984	2448	BL-INVOICE SHIPPING DOCS.exe	31
PID 2448 wrote to memory of 2984	2448	BL-INVOICE SHIPPING DOCS.exe	31
PID 2448 wrote to memory of 2984	2448	BL-INVOICE SHIPPING DOCS.exe	31
PID 2448 wrote to memory of 2984	2448	BL-INVOICE SHIPPING DOCS.exe	31
PID 2448 wrote to memory of 2984	2448	BL-INVOICE SHIPPING DOCS.exe	31
PID 2448 wrote to memory of 2984	2448	BL-INVOICE SHIPPING DOCS.exe	31
PID 2448 wrote to memory of 2984	2448	BL-INVOICE SHIPPING DOCS.exe	31

C:\Users\Admin\AppData\Local\Temp\BL-INVOICE SHIPPING DOCS.exe
"C:\Users\Admin\AppData\Local\Temp\BL-INVOICE SHIPPING DOCS.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Users\Admin\AppData\Local\Temp\BL-INVOICE SHIPPING DOCS.exe"
  2⤵
  PID:2960
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Users\Admin\AppData\Local\Temp\BL-INVOICE SHIPPING DOCS.exe"
  2⤵
  PID:2956
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Users\Admin\AppData\Local\Temp\BL-INVOICE SHIPPING DOCS.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2448-2-0x0000000000280000-0x000000000028A000-memory.dmp

Filesize
40KB

Download
memory/2448-3-0x00000000772F1000-0x00000000773F2000-memory.dmp

Filesize
1.0MB

Download
memory/2448-4-0x00000000772F0000-0x0000000077499000-memory.dmp

Filesize
1.7MB

Download
memory/2448-6-0x0000000000280000-0x000000000028A000-memory.dmp

Filesize
40KB

Download
memory/2448-25-0x0000000000280000-0x000000000028A000-memory.dmp

Filesize
40KB

Download
memory/2984-5-0x00000000772F0000-0x0000000077499000-memory.dmp

Filesize
1.7MB

Download