guloader | c386f2ccd7b71e4b2e3cd41265127a03edbc5a214cb3a426310df9cf4e6638bb

Sharing

Copy URL

Twitter E-mail

General

Target

c386f2ccd7b71e4b2e3cd41265127a03edbc5a214cb3a426310df9cf4e6638bb
Size

929KB
Sample

250204-e99awawjcz
MD5

86df9c1467eb9d8a9a383562e9c17d5c
SHA1

904bc088bb47fb15611b0f065d0397a81eb8056d
SHA256

c386f2ccd7b71e4b2e3cd41265127a03edbc5a214cb3a426310df9cf4e6638bb
SHA512

4352e804856a6e9c8db13e05f46c4deac7addd0473bf1e002b67e81aff5577fc37322f4a097808687fd4ab8f0b272a4eede066803e4bfa17c0363bead8447fa7
SSDEEP

24576:OQLnHw/PgJwl9t0vF1b9hxe28SZKcAlSjulSjGeHevO:nLnQ/4fDpXeNSZKHRvO

Score

10^/10

Malware Config

Targets

- Target
  
  c386f2ccd7b71e4b2e3cd41265127a03edbc5a214cb3a426310df9cf4e6638bb
- Size
  
  929KB
- MD5
  
  86df9c1467eb9d8a9a383562e9c17d5c
- SHA1
  
  904bc088bb47fb15611b0f065d0397a81eb8056d
- SHA256
  
  c386f2ccd7b71e4b2e3cd41265127a03edbc5a214cb3a426310df9cf4e6638bb
- SHA512
  
  4352e804856a6e9c8db13e05f46c4deac7addd0473bf1e002b67e81aff5577fc37322f4a097808687fd4ab8f0b272a4eede066803e4bfa17c0363bead8447fa7
- SSDEEP
  
  24576:OQLnHw/PgJwl9t0vF1b9hxe28SZKcAlSjulSjGeHevO:nLnQ/4fDpXeNSZKHRvO
Score

10^/10

guloader discovery downloader persistence
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  75ed96254fbf894e42058062b4b4f0d1
- SHA1
  
  996503f1383b49021eb3427bc28d13b5bbd11977
- SHA256
  
  a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
- SHA512
  
  58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4
- SSDEEP
  
  192:X24sihno0bW+l97H4GB7QDs91kMtwtobTr4u+QHbazMNHT7dmNIEr:m8vJl97JeoxtN/r3z7YV
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  GPUSwitchConfigEditor.dll
- Size
  
  30KB
- MD5
  
  5f7447189d4ec29893c553f9648964ea
- SHA1
  
  eae212e89e5d49d1cc14a4665df30234cd1ef25c
- SHA256
  
  45b1912154c2f08546442fb066060d33b17efb2fbbdbba70a333f05b7f85619c
- SHA512
  
  45b798d31f95cbe007285ea2c8c9daf9f790ba0aebf8ff2cf3d05de76399a3af76e85d65ccfd2ebb3d6ab76680b2c1009320452e30296230c70844416b0dee77
- SSDEEP
  
  384:QPQmAWMnil1wp4BxhP9rHsA0kmjML9S/3ocId5Av2TFn0O0h0tH0DqkAOtDMQJKY:aAZil62R9T70vj1fovRPUxtQ2X9ch8F
Score

1^/10
behavioral5 behavioral6
- Target
  
  Svipturens/Razzia114/Loneliest/Office.dll
- Size
  
  437KB
- MD5
  
  6e84aaa11121d806dadc159ced3e3dda
- SHA1
  
  8cf17c0050f53f200c74fd08c66fe1d85a35d0c4
- SHA256
  
  808d0c62caec1e7b2d1ebc470e31eaba8f02a972710e2b3fa5b92f12dd5fdf09
- SHA512
  
  00f53f7c6d642e4364600eab853984dbf1a25fee442213a15ab2dd139cc2d3c870546d4ef7cc94bd9bc67f6969cc2a3ebabc9ebac5ad56ffdb250852429912f6
- SSDEEP
  
  12288:ssVUG62f8eQPrvGC9uk9IsbVYVsTEVcyjlycUn8o:ssVUG62f8eQPrZY6VYViEXo
Score

1^/10
behavioral7 behavioral8
- Target
  
  Svipturens/Razzia114/Loneliest/SolutionExplorerCLI.dll
- Size
  
  73KB
- MD5
  
  3a03b61fa01dcdff3e595d279f159d6e
- SHA1
  
  94900c28c23ad01d311c389a0813277cfb30345c
- SHA256
  
  4f4d6511bec955b4e8a30371ed743ea5ebc87ceb0bf93fe21f0a378aa2c05a01
- SHA512
  
  0d04d3486911dfe0439449554e90fb68b4d85eee025a9b89910c306de33cbfdbbef1abcac5d4cd3b3cc1b1f445b7c67dc341c9363c9b127810abd0498ec94ac4
- SSDEEP
  
  1536:GmY7dQU8l75gS4SqQR27YZW1cwvbTxUd6Rw:GmacliS49QR27YZW1vn2dWw
Score

3^/10

discovery
behavioral10 behavioral9
- Target
  
  Svipturens/Razzia114/Loneliest/System.Net.Requests.dll
- Size
  
  339KB
- MD5
  
  6c043dc1e9354ab650bf94729602a941
- SHA1
  
  bea9caeea318707cd0e0a5c23f9291377dc9f144
- SHA256
  
  4a62e7354d29be5e81521baaf67184fadffaa877a8c3d1bf9f7626a73aa0529e
- SHA512
  
  ec0eb5a1fda5a04f69ed0fd436d69144fb4b817dd14d0364b5c1438987fb827797f620711196c624a2c5842e7aa371b91e798ace1644ef540815c300a885d9dc
- SSDEEP
  
  6144:dWLUX6z6MOSOGK3PHTtLAbEs6Q32ZrUS/DprH6+BX6I:dWLm6znOSVKL1AbEHQ3qdBXd
Score

1^/10
behavioral11 behavioral12
- Target
  
  Svipturens/Razzia114/Loneliest/System.Net.WebSockets.dll
- Size
  
  176KB
- MD5
  
  7f85b7c64a20b7305713469a31111d76
- SHA1
  
  1223eb3db35fdbe428b751f6ff6b59d2ac3365d9
- SHA256
  
  0f31c6af054b9322ee803f2640e715e99bf2ecf57a29f3284f6561b7c86d433a
- SHA512
  
  ece40f75ee86bb3f21974be80c0a9f03bdccb74853c868ab00b1f15716f4e83e8d92e2cd0305d7a78008596bb6171cdfd6df63a9c2b009aad856ef7ccd89641a
- SSDEEP
  
  3072:bQJ1yJe/rJqtSA1S3aSG8MTU7HtFpq87repROMQKnXWfuYZbQLmvhnst/j81BVlj:OyJEaVS3A87rijBXW2mvhstQ1BaJRhg
Score

1^/10
behavioral13 behavioral14
- Target
  
  Svipturens/Razzia114/Loneliest/System.Runtime.Numerics.dll
- Size
  
  215KB
- MD5
  
  0509332c796c4dcef973de7126bc0798
- SHA1
  
  ef5d0463482918e99498bc517e041fda51860578
- SHA256
  
  a5e349aeae324810f0a0c16733595efd96cba0eb6d0c2720f8d5be44fd117a5c
- SHA512
  
  84192f9086619b85a6d3039d62ed60dda6fe7b017a2fcc073f7ddc6cc22aa3ce96b38693573a523d4e118dc452ddf53865fbb4f21db39c1f90868abee3b44d92
- SSDEEP
  
  3072:p000BT383qGuW/jNQsnIWN8caCh8yEJfYFmq2px7eYm9ULXuuMNXFcWrZr3T:aw3q5W/jz3N/rEJrFXLXuDcWr9D
Score

1^/10
behavioral15 behavioral16
- Target
  
  bass.dll
- Size
  
  241KB
- MD5
  
  1200fcb814c576d7d93071aea3362a6e
- SHA1
  
  744644c913cbb3661e11f40f44d79c4ef9eb2cd4
- SHA256
  
  ae98ba3a7be4fa5da578b32fcbafab7d4316b346cc3c1792edd012f638d1f027
- SHA512
  
  a23266067b7491b9d621061a054359f230657bb7ad8848f44c47557aa7527859b32628480e48c5d45a7123bd811455d889fbbc021b547ee580e8495e6e4bc1d0
- SSDEEP
  
  6144:cXnzJQgiBJUVzfl+Ih34dtUvZCM270tz:cVfiEVz9+IhI3ACM2
Score

1^/10
behavioral17 behavioral18
- Target
  
  lang-1031.dll
- Size
  
  167KB
- MD5
  
  9041e9265e1255f9c99db6fd9acbd3ec
- SHA1
  
  bde543f07124af9bd52bbaf2838ad154bee894d4
- SHA256
  
  557bd2393335451a9956aefe39caa9efd4473bd5ecf7d72847f0ce239f06302c
- SHA512
  
  068e3927f5364503f9f258a46775bfc942d007bae377de3a188a54e0a6439d462178b9935de6e02d47dd01f45b2f3cca52e7a00b918a850f3a613fa5056703f8
- SSDEEP
  
  3072:4JzKPYLvycnW+CLTegzQhK7JUfRtR+Ea9hI7AlfbamVXu8dIEhpg8XALZkwdlPa6:Oy7Az5
Score

1^/10
behavioral19 behavioral20
- Target
  
  lang-1042.dll
- Size
  
  89KB
- MD5
  
  e52c38d77e60b534b9f63f76f51dbe70
- SHA1
  
  f81f9a726f2d7880cf02c098f9443e3df72f5497
- SHA256
  
  a66eb9caad8387fe96030b8d464a561d76ba46e9b880e3a931e277020b2cf1df
- SHA512
  
  8c8b80c4ab26a6bfe78ddeaa684c4616132960e9cae07c374c86d9c80b16d205bcb2ba98cd51f70682f95d7b133ec6142128bb8724cc5a2a13991d8eabd99b89
- SSDEEP
  
  1536:Nw/WmI1o8uwBL5pcPqY0AUY9fdl/SFfxHdT3/h9+1UCD8ux4:aJI1o8jLHcPqY0AUY9fdl/SbR3ZY8ux4
Score

1^/10
behavioral21 behavioral22
- Target
  
  libfribidi-0.dll
- Size
  
  142KB
- MD5
  
  78b5a3b3b49d537c4c746711cfcaedb9
- SHA1
  
  1427f3f63dcfd4a8f5dcc831beead545426ebc1c
- SHA256
  
  f1d47b66f156563ad102715efae074e3018a1c5b15f83a567ff13b34f2dfb2c9
- SHA512
  
  a5c341c4bfee9630854133a29d6bbb8e4fa5c68f3854586cc98303961766e7205e18fb21f08a3176d3332b618f3e096cb2e872864321a0f92bf35cd28ba15d65
- SSDEEP
  
  1536:QH+cTZsIKM/nTeGj7Jxq/dncgPAN3HoRxbuqO000Ff2FT:3IKWTZJENcCQYRxNO000FeFT
Score

1^/10
behavioral23 behavioral24

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Guloader family

Guloader,Cloudeye

Checks QEMU agent file

Loads dropped DLL

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24