guloader | 4189edfc0aa08a91ae37b7d0cfd3c61eae29e8b72f800eb4740edebc4ba3f246

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-02-2025 16:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO00408_PDF.exe
Size

540KB
MD5

5e296704dc35eb43c3365d6492671262
SHA1

1865af05a87698879496c739ca3a23abdbbbe2b4
SHA256

4189edfc0aa08a91ae37b7d0cfd3c61eae29e8b72f800eb4740edebc4ba3f246
SHA512

7617f1287c957845db63bc1fad2288e6d618ca6bd293bd0e92ef4e47aa35185936fe5a7e1a4e934c0ba4d9f4ed6da26b9bc8d0511e480015a514068b1c2ed59f
SSDEEP

12288:9bLlN73eJi4xLlj5lJNTYRVV1zqaMLceQTi4GCk9/PxCGGd/9hKVZFDN:9bzSJikj5KN1zfMLceQ6Ck9/PxOd3KP

Score

10^/10

guloader discovery downloader spyware stealer

Malware Config

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 1 IoCs

pid	Process
3056	PO00408_PDF.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	checkip.dyndns.org
7	reallyfreegeoip.org
8	reallyfreegeoip.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2864	PO00408_PDF.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3056	PO00408_PDF.exe
2864	PO00408_PDF.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Obediences.Mon	PO00408_PDF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PO00408_PDF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PO00408_PDF.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3056	PO00408_PDF.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2864	PO00408_PDF.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2864	3056	PO00408_PDF.exe	31
PID 3056 wrote to memory of 2864	3056	PO00408_PDF.exe	31
PID 3056 wrote to memory of 2864	3056	PO00408_PDF.exe	31
PID 3056 wrote to memory of 2864	3056	PO00408_PDF.exe	31
PID 3056 wrote to memory of 2864	3056	PO00408_PDF.exe	31

C:\Users\Admin\AppData\Local\Temp\PO00408_PDF.exe
"C:\Users\Admin\AppData\Local\Temp\PO00408_PDF.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Users\Admin\AppData\Local\Temp\PO00408_PDF.exe
  "C:\Users\Admin\AppData\Local\Temp\PO00408_PDF.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsjDBC0.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
memory/2864-13-0x00000000014F0000-0x0000000004F88000-memory.dmp

Filesize
58.6MB

Download
memory/2864-14-0x0000000077470000-0x0000000077619000-memory.dmp

Filesize
1.7MB

Download
memory/2864-15-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2864-17-0x0000000000480000-0x000000000049E000-memory.dmp

Filesize
120KB

Download
memory/2864-16-0x00000000014F0000-0x0000000004F88000-memory.dmp

Filesize
58.6MB

Download
memory/3056-12-0x0000000077470000-0x0000000077619000-memory.dmp

Filesize
1.7MB

Download
memory/3056-11-0x0000000077471000-0x0000000077572000-memory.dmp

Filesize
1.0MB

Download