guloader | 164f6ad21e14ac4166a6fc80719fd681eb66cd6bcaff3e683fc7c5391be35729

General

Target

164f6ad21e14ac4166a6fc80719fd681eb66cd6bcaff3e683fc7c5391be35729.exe
Size

861KB
MD5

b062dbccf2a25f8a5a029fdc818ff871
SHA1

420b7a11723cf2baa977be0c37ccfa4ee1c55c9c
SHA256

164f6ad21e14ac4166a6fc80719fd681eb66cd6bcaff3e683fc7c5391be35729
SHA512

32f0bcf8077c119d73b27be16049b8f0dccdbf3cf160c7782df218c761475bc3f31c0f6f47a76b9c467334d4dd704320e16c0e930ee0d3544aa307858a8b6199
SSDEEP

24576:QPyqE0GP4TDRiB9P+/c0P3j/kSQ7KHuReqr/sblNP9Ex5:IE0K330j/usWp/sblNVE7

Score

10^/10

guloader defense_evasion discovery downloader evasion spyware stealer trojan

Malware Config

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	164f6ad21e14ac4166a6fc80719fd681eb66cd6bcaff3e683fc7c5391be35729.exe

Disables Task Manager via registry modification
defense_evasion

Loads dropped DLL 2 IoCs

pid	Process
2360	164f6ad21e14ac4166a6fc80719fd681eb66cd6bcaff3e683fc7c5391be35729.exe
2360	164f6ad21e14ac4166a6fc80719fd681eb66cd6bcaff3e683fc7c5391be35729.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
5	drive.google.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	reallyfreegeoip.org
12	checkip.dyndns.org
14	reallyfreegeoip.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1200	164f6ad21e14ac4166a6fc80719fd681eb66cd6bcaff3e683fc7c5391be35729.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2360	164f6ad21e14ac4166a6fc80719fd681eb66cd6bcaff3e683fc7c5391be35729.exe
1200	164f6ad21e14ac4166a6fc80719fd681eb66cd6bcaff3e683fc7c5391be35729.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	164f6ad21e14ac4166a6fc80719fd681eb66cd6bcaff3e683fc7c5391be35729.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	164f6ad21e14ac4166a6fc80719fd681eb66cd6bcaff3e683fc7c5391be35729.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2360	164f6ad21e14ac4166a6fc80719fd681eb66cd6bcaff3e683fc7c5391be35729.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1200	164f6ad21e14ac4166a6fc80719fd681eb66cd6bcaff3e683fc7c5391be35729.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 1200	2360	164f6ad21e14ac4166a6fc80719fd681eb66cd6bcaff3e683fc7c5391be35729.exe	31
PID 2360 wrote to memory of 1200	2360	164f6ad21e14ac4166a6fc80719fd681eb66cd6bcaff3e683fc7c5391be35729.exe	31
PID 2360 wrote to memory of 1200	2360	164f6ad21e14ac4166a6fc80719fd681eb66cd6bcaff3e683fc7c5391be35729.exe	31
PID 2360 wrote to memory of 1200	2360	164f6ad21e14ac4166a6fc80719fd681eb66cd6bcaff3e683fc7c5391be35729.exe	31
PID 2360 wrote to memory of 1200	2360	164f6ad21e14ac4166a6fc80719fd681eb66cd6bcaff3e683fc7c5391be35729.exe	31

C:\Users\Admin\AppData\Local\Temp\164f6ad21e14ac4166a6fc80719fd681eb66cd6bcaff3e683fc7c5391be35729.exe
"C:\Users\Admin\AppData\Local\Temp\164f6ad21e14ac4166a6fc80719fd681eb66cd6bcaff3e683fc7c5391be35729.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\164f6ad21e14ac4166a6fc80719fd681eb66cd6bcaff3e683fc7c5391be35729.exe
  "C:\Users\Admin\AppData\Local\Temp\164f6ad21e14ac4166a6fc80719fd681eb66cd6bcaff3e683fc7c5391be35729.exe"
  2⤵
  - Modifies Windows Defender DisableAntiSpyware settings
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bombarderende\havs\sacrificed\Cresphontes236\Ganske\rafraichisseurerne.jpg

Filesize
9KB

MD5
e83f9982d02f51d90ccb3e999ac89a95

SHA1
31a80a514244ac340625fe21fba299235f130cfc

SHA256
13cbbda804872162ff79fa0681d1dc828f803ca60247e9be06975ea21910af62

SHA512
9db2aa9509971a6e5fa9289a7f37db3cf67e4285c768e0d0181687f2f35a5d120afb70e023c2c52752b2eb58dbeadfacdf7eb303164baf77f06add2c9866f743

Download Submit
C:\Users\Admin\subtilizer.lnk

Filesize
1020B

MD5
d6a33e6cf93b64718d9b8bb3ccc5022b

SHA1
d33a7fc0167061854cfb6d8e0e5fda8ff3025d6e

SHA256
cce50e98fc3e5b5fe7a51f8f563ac1d2ad49b7357b5ea0059fa832fa9c7c2beb

SHA512
8c97e07880362e9ee2381eb59667c8a793d559fb7277ee4fcf91edc48ef2ee5339a7369893ecde5ba655f64fdf893de0c59eb9dcbae150498f480db698bc41ee

Download Submit
\Users\Admin\AppData\Local\Temp\nsjE052.tmp\System.dll

Filesize
11KB

MD5
a4dd044bcd94e9b3370ccf095b31f896

SHA1
17c78201323ab2095bc53184aa8267c9187d5173

SHA256
2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

SHA512
87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

Download Submit
memory/1200-327-0x00000000004A0000-0x0000000001502000-memory.dmp

Filesize
16.4MB

Download
memory/1200-305-0x0000000001510000-0x0000000002748000-memory.dmp

Filesize
18.2MB

Download
memory/1200-306-0x0000000077690000-0x0000000077839000-memory.dmp

Filesize
1.7MB

Download
memory/1200-326-0x0000000077690000-0x0000000077839000-memory.dmp

Filesize
1.7MB

Download
memory/1200-328-0x00000000004A0000-0x0000000001502000-memory.dmp

Filesize
16.4MB

Download
memory/1200-329-0x0000000001510000-0x0000000002748000-memory.dmp

Filesize
18.2MB

Download
memory/1200-330-0x00000000004A0000-0x00000000004BE000-memory.dmp

Filesize
120KB

Download
memory/2360-303-0x0000000077691000-0x0000000077792000-memory.dmp

Filesize
1.0MB

Download
memory/2360-304-0x0000000077690000-0x0000000077839000-memory.dmp

Filesize
1.7MB

Download
memory/2360-302-0x0000000003620000-0x0000000004858000-memory.dmp

Filesize
18.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads