guloader | 18e8dc7f0541f1b4d3394d57ff222b78d9a6c22c2151512dd84d28cd9fbb7f01

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
06/02/2025, 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Totalforsikring.exe
Size

888KB
MD5

acd8c7211f329be0c798161973d6e437
SHA1

93b804432267947523bdbaf80d6d36ec7a028c5c
SHA256

18e8dc7f0541f1b4d3394d57ff222b78d9a6c22c2151512dd84d28cd9fbb7f01
SHA512

5bd28a73388a85942ad7a1fb568f20dc8b781e2be1aea61fba3def3fbdb8bb7178817889139b74277824fae29a15b87b8ddeba7c9326d6dd2e7c6b874256019b
SSDEEP

24576:F0fVDZQOtivSE8uN4BoR7qbiDLTmAYu+oA0Ar2P:St6O0vNNioKkMJ9C

Score

10^/10

guloader discovery downloader spyware stealer

Malware Config

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 2 IoCs

pid	Process
1712	Totalforsikring.exe
1712	Totalforsikring.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
5	drive.google.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	checkip.dyndns.org
14	reallyfreegeoip.org
15	reallyfreegeoip.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1684	Totalforsikring.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1712	Totalforsikring.exe
1684	Totalforsikring.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\komplementrt\halstrkldernes.dds	Totalforsikring.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Totalforsikring.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Totalforsikring.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1712	Totalforsikring.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1684	Totalforsikring.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 1684	1712	Totalforsikring.exe	31
PID 1712 wrote to memory of 1684	1712	Totalforsikring.exe	31
PID 1712 wrote to memory of 1684	1712	Totalforsikring.exe	31
PID 1712 wrote to memory of 1684	1712	Totalforsikring.exe	31
PID 1712 wrote to memory of 1684	1712	Totalforsikring.exe	31

C:\Users\Admin\AppData\Local\Temp\Totalforsikring.exe
"C:\Users\Admin\AppData\Local\Temp\Totalforsikring.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Local\Temp\Totalforsikring.exe
  "C:\Users\Admin\AppData\Local\Temp\Totalforsikring.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsoAC4B.tmp

Filesize
15B

MD5
64c34dda0003aa56030f5cef66dd8616

SHA1
8f3f9e66c5b9d35715b3c6d8aa800450f6db95fb

SHA256
a3f3ef6dbcdd25537eb2d093b42fcb85c2e84522ae1aab7bf924dc00eb3ef870

SHA512
0f01df79160393b6e7c6ea2d302bd9c1613a269ca0cb09d300d6c98dbff12e0aa3456e89c16842de77353c32edb4df565ac0709a66dc48375088f8dbba3b277f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstAB2E.tmp

Filesize
74B

MD5
16d513397f3c1f8334e8f3e4fc49828f

SHA1
4ee15afca81ca6a13af4e38240099b730d6931f0

SHA256
d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36

SHA512
4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszAB9E.tmp

Filesize
3B

MD5
4e27f2226785e9abbe046fc592668860

SHA1
28b18a7f383131df509f7191f946a32c5a2e410c

SHA256
01a219245e1501fee01ce0baea8f6065ce5162cea12fa570689a07c9717be81d

SHA512
2a23585835bdb5db8175cab265566042282841efdcee8aaba8b9b5d466b0f165c0c5973033ce94bb9a8f07a956689247981ea07ac5a51408263e1653d9710adb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszAB9E.tmp

Filesize
8B

MD5
c3cb69218b85c3260387fb582cb518dd

SHA1
961c892ded09a4cbb5392097bb845ccba65902ad

SHA256
1c329924865741e0222d3ead23072cfbed14f96e2b0432573068eb0640513101

SHA512
2402fffeb89c531db742bf6f5466eee8fe13edf97b8ecfc2cace3522806b322924d1ca81dda25e59b4047b8f40ad11ae9216e0a0d5c7fc6beef4368eb9551422

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszAB9E.tmp

Filesize
9B

MD5
2b3884fe02299c565e1c37ee7ef99293

SHA1
d8e2ef2a52083f6df210109fea53860ea227af9c

SHA256
ae789a65914ed002efb82dad89e5a4d4b9ec8e7faae30d0ed6e3c0d20f7d3858

SHA512
aeb9374a52d0ad99336bfd4ec7bb7c5437b827845b8784d9c21f7d96a931693604689f6adc3ca25fad132a0ad6123013211ff550f427fa86e4f26c122ac6a0fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszABED.tmp

Filesize
5B

MD5
e2fecc970546c3418917879fe354826c

SHA1
63f1c1dd01b87704a6b6c99fd9f141e0a3064f16

SHA256
ff91566d755f5d038ae698a2cc0a7d4d14e5273afafc37b6f03afda163768fa0

SHA512
3c4a68cbaee94f986515f43305a0e7620c14c30213d4a17db4a3e8a1b996764eb688bf733f472fc52073c2c80bb5229bb29411d7601aefe1c4370e230c341a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszABED.tmp

Filesize
7B

MD5
67cfa7364c4cf265b047d87ff2e673ae

SHA1
56e27889277981a9b63fcf5b218744a125bbc2fa

SHA256
639b68bd180b47d542dd001d03557ee2d5b3065c3c783143bc9fb548f3fd7713

SHA512
17f28a136b20b89e9c3a418b08fd8e6fcaac960872dc33b2481af2d872efc44228f420759c57724f5d953c7ba98f2283e2acc7dfe5a58cbf719c6480ec7a648b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszABED.tmp

Filesize
11B

MD5
f9e81875c2ac80cd228ff7615d6e6183

SHA1
bc60a68ab8522806b30affd832b5866643ec2031

SHA256
54d26d86b2ebde0a52271df5d2bcc911d881ada35d5716076d0411672f78e7b1

SHA512
6173811b6e692e85ac091f9e53ad9e392dc9853087756dae6907ae45b73704c1084ad64bb9730871b6f7dd16d871dfcf089fcf19746cbee68b783a691937d1d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszABED.tmp

Filesize
35B

MD5
05c4dcd6fa077a2812c2bfbf2ec502ea

SHA1
01e3287dba597e303a4652fcfad8ea8fbac4ecd9

SHA256
74129f34b61ceae8131d84243df4f1433ccd11313cd67cea8d39d32a861883df

SHA512
247590121fa506f14e599ed49710f280f35cf5f39f9633b51c321000ae99631d7613dd3df9426eab6e0a114459df6b9281576ed938263ea2ca8f40ce55f359a9

Download Submit
\Users\Admin\AppData\Local\Temp\nstAB2F.tmp\System.dll

Filesize
11KB

MD5
960a5c48e25cf2bca332e74e11d825c9

SHA1
da35c6816ace5daf4c6c1d57b93b09a82ecdc876

SHA256
484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2

SHA512
cc450179e2d0d56aee2ccf8163d3882978c4e9c1aa3d3a95875fe9ba9831e07ddfd377111dc67f801fa53b6f468a418f086f1de7c71e0a5b634e1ae2a67cd3da

Download Submit
memory/1684-587-0x0000000001860000-0x0000000004DC1000-memory.dmp

Filesize
53.4MB

Download
memory/1684-588-0x00000000776E0000-0x0000000077889000-memory.dmp

Filesize
1.7MB

Download
memory/1684-608-0x00000000007F0000-0x0000000001852000-memory.dmp

Filesize
16.4MB

Download
memory/1684-609-0x00000000007F0000-0x0000000001852000-memory.dmp

Filesize
16.4MB

Download
memory/1684-610-0x0000000001860000-0x0000000004DC1000-memory.dmp

Filesize
53.4MB

Download
memory/1684-611-0x00000000007F0000-0x000000000080E000-memory.dmp

Filesize
120KB

Download
memory/1712-586-0x00000000776E0000-0x0000000077889000-memory.dmp

Filesize
1.7MB

Download
memory/1712-585-0x00000000776E1000-0x00000000777E2000-memory.dmp

Filesize
1.0MB

Download