guloader | 8c00c454e6ad4bd1f3da75c64bbfbec9e5d1c60f8d1261d3416092a5286244b7 | Triage

Sharing

General

Target

JaffaCakes118_8c00c454e6ad4bd1f3da75c64bbfbec9e5d1c60f8d1261d3416092a5286244b7
Size

485KB
Sample

241229-n6efrs1lf1
MD5

935991d96b89502a4f8a0f30840fa2c0
SHA1

67e4f358023aa8d9b0b78a40814b20dd87e29960
SHA256

8c00c454e6ad4bd1f3da75c64bbfbec9e5d1c60f8d1261d3416092a5286244b7
SHA512

dbdfac9569f625a550635a689211144cf4c266592ac91f8e8f78dbc216dd449634095a68bd9736a799cd99c58b0a6005c7379a9dc4eb66b26a5a5d33fee27780
SSDEEP

12288:L0Fh6RXy4b9zveX3ZAQF+ru+IUQxLqycHk7Xs:Mhi5zU3ZAQF+kLNwHk78

Score

10^/10

guloader discovery downloader execution

Malware Config

Targets

- Target
  
  JULSA 2210229506A.vbs
- Size
  
  733KB
- MD5
  
  aec804daef54d95f792c3f15412535ea
- SHA1
  
  caefec8e0f73270559edbf714fbb703f100a02b1
- SHA256
  
  eb2a3f6ebe19514c6f1f7795eb65b4e3d2c0584ad754b06ad89ce6b4d247770f
- SHA512
  
  8c6420299ded52dfad338ed391ae16b13b1ac8bcb8f9482fc99e6916a9b8ae3c8dd7eadb8076d8770172369526f6ba11f87f94d72d779d7d157e7818136f3a5f
- SSDEEP
  
  12288:UoC/EqeqN8AmHXmXt7QUu38zUL9ZaYTTr8DDdSfLmXe3l6GLOYv0Z:PCHGXm97zvUL9LOg6O3YYvy
Score

10^/10

guloader discovery downloader execution
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Blocklisted process makes network request
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Legitimate hosting services abused for malware hosting/C2
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

guloaderdiscoverydownloaderexecution

behavioral2

guloaderdiscoverydownloaderexecution