guloader | fa95a74bd124a32e198c07511e563c2c5a3f9ec71a4a40ffb4de15b3b2b5ddf7

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
10-02-2025 09:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

justificante.exe
Size

745KB
MD5

f73f9b729a0171e1d1aabd214c1fc2bd
SHA1

ca95dc8efa2f5575ad590e08ddad9af4dda6b7d3
SHA256

fa95a74bd124a32e198c07511e563c2c5a3f9ec71a4a40ffb4de15b3b2b5ddf7
SHA512

9e2fa622880947025a69bd8df9407ab0d015a0181a37d3bdbbfa427ceb55faea2af02c6fe101f37e8d292524a1854601951fbb2604ed787c2d75e3b3b56940f0
SSDEEP

12288:0CT6YT8Rf2RR51iL7yLFO06tLUJstWI6ulekbiDBfR5j5TzIBCZYu+fQCZ0CZr21:0C6Y3RRriahD6tIJcW/ubiDLTmAYu+o/

Score

10^/10

guloader discovery downloader

Malware Config

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Downloads MZ/PE file 1 IoCs

flow	pid	Process
32	4780	Process not Found

Loads dropped DLL 2 IoCs

pid	Process
2252	justificante.exe
2252	justificante.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
50	drive.google.com
47	drive.google.com

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2252	justificante.exe
1732	justificante.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\komplementrt\halstrkldernes.dds	justificante.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	justificante.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	justificante.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1072	MicrosoftEdgeUpdate.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2252	justificante.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 1732	2252	justificante.exe	96
PID 2252 wrote to memory of 1732	2252	justificante.exe	96
PID 2252 wrote to memory of 1732	2252	justificante.exe	96
PID 2252 wrote to memory of 1732	2252	justificante.exe	96

C:\Users\Admin\AppData\Local\Temp\justificante.exe
"C:\Users\Admin\AppData\Local\Temp\justificante.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Users\Admin\AppData\Local\Temp\justificante.exe
  "C:\Users\Admin\AppData\Local\Temp\justificante.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:1732

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7N0IxQzg5QTgtODBERC00M0E1LUJDRDYtRjNFN0MwNEM3MjRBfSIgdXNlcmlkPSJ7QkYwREUyMkMtOEU5MS00MTQ0LUFDQUQtODQxREFCMkVDRjM4fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NEFEMUQ1MDItMDlBOC00RDc1LTg1MDktMUU0MTVGNTREREU1fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY4ODkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTM2NTgwOTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTEyMTc0OTYyIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsf8269.tmp

Filesize
60B

MD5
2c9840f016771a2ff1229498c258a4b5

SHA1
64f4235bec61eb65ce4069894e1c806fda7d3640

SHA256
a5fc1d733f2d6b8299e8e33d3a9c0b4b50ed6d2ba5b4efab4c49343cd47c59e8

SHA512
72d89e5dc118e8a00bf44e78288dd790932650774e07857eb14cad84473b9b6fa0c0d5476f91a3a3dd0d3a8e3a7de65a2dc917f7a6efb7ccaebb26af69fed934

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf82B8.tmp

Filesize
37B

MD5
dec8b6831190f6689aa2819d1af12410

SHA1
dce8e8a8fcfe6631df7a55f0d7bf1ce9f6cdd9c5

SHA256
aaa3439174a448bb94e041e6cf8d825debe86feef80eb961882f15a6cfe6019e

SHA512
c100c46eb8ce2b83c25f92800df0b80e10542d6d56ecb97769a2fc03e4311a339c5bd95d4b178e36f3124d74f494f9231d9dfd3a5e4e8c160653e1af94613357

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf82B8.tmp

Filesize
40B

MD5
6daa617c5859b9e7a6bd52b66a2df9f7

SHA1
a72a8b70317979163b23da08f0be97b99741259a

SHA256
4396e41369d8705bdc7e1419f411070cfcf645fb3b1b0f07593c7f55fe9464f3

SHA512
597e07702b0dde7923da510b0223f89c8c13933f7fcc5f269aa332b94285a7bdcb447cdedd8f179395555b78be1a3a9979ee37ffb3f39212185334efbb16a789

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf82B8.tmp

Filesize
56B

MD5
8207f267f8794c84f18be7d5c6f82501

SHA1
4dad44b434c774435ec3c9d2b278bcff5cbbdd8e

SHA256
101a0930b7bec9af5d4c96ba564303cb4c27fd34258d8aa5cac1f0aeed526608

SHA512
3ede96701ac6c958909bfebed0d0277ab1343be0c2bced3b6aaa57d6355c81a8439e42734349420d8add83642a652c62407d1fdfedc8740a1b409a060f9de708

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj80B1.tmp\System.dll

Filesize
11KB

MD5
960a5c48e25cf2bca332e74e11d825c9

SHA1
da35c6816ace5daf4c6c1d57b93b09a82ecdc876

SHA256
484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2

SHA512
cc450179e2d0d56aee2ccf8163d3882978c4e9c1aa3d3a95875fe9ba9831e07ddfd377111dc67f801fa53b6f468a418f086f1de7c71e0a5b634e1ae2a67cd3da

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu80A1.tmp

Filesize
47B

MD5
3463a4cc4cc8584279b312ee3ae746dc

SHA1
512bb30dc772b97916374c4ba7ac0263dab1ffa5

SHA256
4d9933ad3cb07723bac43a5c519fb12e5950334cf688b284acdfa4d8931d5620

SHA512
239e174c3cea06f716dfc802fd32bddfa78d51f07d91f1cfc28ab0bf125d22bd18c6f05af672b0b8edbb6a618f4e6492fe1b41150c34cc3196070961c34c010c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu80A1.tmp

Filesize
64B

MD5
814da453daa6269ca4ed4cd15266b28c

SHA1
82981f8c0d5d3ffccbf06fff867f8c3b1aaa454b

SHA256
791004efaa6a41452708fe5db95097b4681e4f4d386e33b8044088b8f736d743

SHA512
3336dbdf67c28567e9cd6a495e2e7d7e7fca21fccdff35b7c84588237829c32f69be5f733cbc3e3bf1614868a3e9e6000c5ff3116b4cc035723c37ca743cb948

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu80A1.tmp

Filesize
72B

MD5
830f634fb44956d70a234c43be9c0b75

SHA1
1ebe612620e801a4db9256781c95048f7573edc7

SHA256
2a404ae066022b1d313fc3fa263e53ba387aa301e650cbca6379847bb1417381

SHA512
8aa1eeab0f139af87885916505c5dd56ba66771d2083da8d505878b09eaaff8b8c35d765a0770d4b7deca4414f9ae88070f91e9ba119c4dc9b44875bdd344132

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu80A1.tmp

Filesize
42B

MD5
b6a6fc39000a885d47bb4a68599189d2

SHA1
2e6af0f8af28d0ccf111437ebdef42fc9b87d976

SHA256
d0e907cfed7dd830efd34ab698cfbc7726f29b52b71479f6ee9cc34087925d26

SHA512
79f428030deceb2504105b031f605836640f70e070c23dfc3d8f815c3b08b7377cb53455e8a8333dd7b2fca5507da24682b809eb586d8ce3a223e532a93d9263

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu8229.tmp

Filesize
52B

MD5
5d04a35d3950677049c7a0cf17e37125

SHA1
cafdd49a953864f83d387774b39b2657a253470f

SHA256
a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266

SHA512
c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv8317.tmp

Filesize
4B

MD5
ee11cbb19052e40b07aac0ca060c23ee

SHA1
12dea96fec20593566ab75692c9949596833adc9

SHA256
04f8996da763b7a969b1028ee3007569eaf3a635486ddab211d512c85b9df8fb

SHA512
b14361404c078ffd549c03db443c3fede2f3e534d73f78f77301ed97d4a436a9fd9db05ee8b325c0ad36438b43fec8510c204fc1c1edb21d0941c00e9e2c1ce2

Download Submit
memory/2252-586-0x0000000005000000-0x0000000007F1D000-memory.dmp

Filesize
47.1MB

Download
memory/2252-587-0x0000000005000000-0x0000000007F1D000-memory.dmp

Filesize
47.1MB

Download
memory/2252-588-0x0000000077AB1000-0x0000000077BD1000-memory.dmp

Filesize
1.1MB

Download
memory/2252-589-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download
memory/2252-591-0x0000000005000000-0x0000000007F1D000-memory.dmp

Filesize
47.1MB

Download