guloader | d314fe716123c0fac98d48d7d4acd4fe887217c2a9ad0fc96850235785f7f79b

General

Target

d314fe716123c0fac98d48d7d4acd4fe887217c2a9ad0fc96850235785f7f79b.exe
Size

1.0MB
Sample

250111-f1qb3swkhx
MD5

8e4a2b26b311d9e5c9a920186b0b8025
SHA1

f433a5c5020d31b0278b659e01cbb3882c671487
SHA256

d314fe716123c0fac98d48d7d4acd4fe887217c2a9ad0fc96850235785f7f79b
SHA512

06d922de26bf2808e740ae9c0d282c13dac4f4aa42e22458089f08b3297661ef2aefe16c0099bd1393fe5d443a10b1f425acf1fb2597ff63d31bbb37e76c613a
SSDEEP

24576:9jwKCNPYCP4T85MgzoEHzizaMr+GGU8HgpIw8hadmA:V1CSgSYoEOzJiGd+gpH8hadt

Score

10^/10

Malware Config

Targets

- Target
  
  d314fe716123c0fac98d48d7d4acd4fe887217c2a9ad0fc96850235785f7f79b.exe
- Size
  
  1.0MB
- MD5
  
  8e4a2b26b311d9e5c9a920186b0b8025
- SHA1
  
  f433a5c5020d31b0278b659e01cbb3882c671487
- SHA256
  
  d314fe716123c0fac98d48d7d4acd4fe887217c2a9ad0fc96850235785f7f79b
- SHA512
  
  06d922de26bf2808e740ae9c0d282c13dac4f4aa42e22458089f08b3297661ef2aefe16c0099bd1393fe5d443a10b1f425acf1fb2597ff63d31bbb37e76c613a
- SSDEEP
  
  24576:9jwKCNPYCP4T85MgzoEHzizaMr+GGU8HgpIw8hadmA:V1CSgSYoEOzJiGd+gpH8hadt
Score

10^/10

discovery guloader collection downloader evasion spyware stealer
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Disables Task Manager via registry modification
  evasion
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  0d7ad4f45dc6f5aa87f606d0331c6901
- SHA1
  
  48df0911f0484cbe2a8cdd5362140b63c41ee457
- SHA256
  
  3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
- SHA512
  
  c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9
- SSDEEP
  
  192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6
Score

3^/10

discovery
behavioral3 behavioral4