guloader | 7ca204f398d0ca98eb3d2d76c2f05b382341fe416e761cf7e4ebb4c9db5593b5

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
10-02-2025 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Hermaean.exe
Size

1.0MB
MD5

a5350eaa7864ac06277c445e0f52f9d9
SHA1

9a589f6dcbb0ee908a1665501b3e249a00c05db8
SHA256

eab16fb9a96dba4a00c074dec9d6be01b5d93b680d69d230c21497fce96f9de5
SHA512

19cbd739728359dff2932ee72bf923598fe523ed2c08fc3d42f4e535e94e8cd7b0c4165eb1f3e4b54ef96b403396571b9ce9d3042ceacb996237d78b3347e2d1
SSDEEP

24576:NtLjOxH2phdL18qdTJhxEvGuw48Qw1J+FOZVKgyhz:NtLiwhd3dzxYfw4krkOZxy9

Score

10^/10

guloader discovery downloader spyware stealer

Malware Config

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 2 IoCs

pid	Process
2600	Hermaean.exe
2600	Hermaean.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	drive.google.com
5	drive.google.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	checkip.dyndns.org
16	reallyfreegeoip.org
17	reallyfreegeoip.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2468	Hermaean.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2600	Hermaean.exe
2468	Hermaean.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hermaean.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hermaean.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2600	Hermaean.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2468	Hermaean.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 2468	2600	Hermaean.exe	30
PID 2600 wrote to memory of 2468	2600	Hermaean.exe	30
PID 2600 wrote to memory of 2468	2600	Hermaean.exe	30
PID 2600 wrote to memory of 2468	2600	Hermaean.exe	30
PID 2600 wrote to memory of 2468	2600	Hermaean.exe	30

C:\Users\Admin\AppData\Local\Temp\Hermaean.exe
"C:\Users\Admin\AppData\Local\Temp\Hermaean.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Users\Admin\AppData\Local\Temp\Hermaean.exe
  "C:\Users\Admin\AppData\Local\Temp\Hermaean.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsu872F.tmp

Filesize
1B

MD5
8ce4b16b22b58894aa86c421e8759df3

SHA1
13fbd79c3d390e5d6585a21e11ff5ec1970cff0c

SHA256
8254c329a92850f6d539dd376f4816ee2764517da5e0235514af433164480d7a

SHA512
2af8a9104b3f64ed640d8c7e298d2d480f03a3610cbc2b33474321ec59024a48592ea8545e41e09d5d1108759df48ede0054f225df39d4f0f312450e0aa9dd25

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu872F.tmp

Filesize
2B

MD5
25bc6654798eb508fa0b6343212a74fe

SHA1
15d5e1d3b948fd5986aaff7d9419b5e52c75fc93

SHA256
8e5202705183bd3a20a29e224499b0f77a8273ee33cd93cca71043c57ad4bdfc

SHA512
5868c6241ed3cfcc5c34bfe42e4b9f5c69e74975e524771d8c9f35cafc13fd01cd943ec4d8caefee79a1f4a457e69d20b7a86f88db83a5bc3e6bd8a619972898

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu872F.tmp

Filesize
4B

MD5
cde63b34c142af0a38cbe83791c964f8

SHA1
ece2b194b486118b40ad12c1f0e9425dd0672424

SHA256
65e2d70166c9a802b7ad2a87129b8945f083e5f268878790a9d1f1c03f47938d

SHA512
0559d3d34ad64ccc27e685431c24fc6ead0f645db14fa0e125a64fb67dbd158c15432c1fc5407811aac8a3486090dfbcfcbc3c6bf5aa0ec73f979ef62d14853c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu872F.tmp

Filesize
5B

MD5
e2fecc970546c3418917879fe354826c

SHA1
63f1c1dd01b87704a6b6c99fd9f141e0a3064f16

SHA256
ff91566d755f5d038ae698a2cc0a7d4d14e5273afafc37b6f03afda163768fa0

SHA512
3c4a68cbaee94f986515f43305a0e7620c14c30213d4a17db4a3e8a1b996764eb688bf733f472fc52073c2c80bb5229bb29411d7601aefe1c4370e230c341a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu872F.tmp

Filesize
6B

MD5
50484c19f1afdaf3841a0d821ed393d2

SHA1
c65a0fb7e74ffd2c9fc3a0f9aacb0f6a24b0a68b

SHA256
6923dd1bc0460082c5d55a831908c24a282860b7f1cd6c2b79cf1bc8857c639c

SHA512
d51a20d67571fe70bcd6c36e1382a3c342f42671c710090b75fcfc2405ce24488e03a7131eefe4751d0bd3aeaad816605ad10c8e3258d72fcf379e32416cbf3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu872F.tmp

Filesize
9B

MD5
2b3884fe02299c565e1c37ee7ef99293

SHA1
d8e2ef2a52083f6df210109fea53860ea227af9c

SHA256
ae789a65914ed002efb82dad89e5a4d4b9ec8e7faae30d0ed6e3c0d20f7d3858

SHA512
aeb9374a52d0ad99336bfd4ec7bb7c5437b827845b8784d9c21f7d96a931693604689f6adc3ca25fad132a0ad6123013211ff550f427fa86e4f26c122ac6a0fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu872F.tmp

Filesize
47B

MD5
ae27ee359bb9033a6be837e5815a880c

SHA1
a0d4c882b59ef3b726049c5c636ff044799ce995

SHA256
e8297f52af1b042ee9e38b6de31c4b54fecf457a510930f889a8bcd3e97e71b7

SHA512
ea107b37b71d87df8dea64376ff661871875bd2634a083663f2da791658b9b17a26f313627fa0c34d4b6fbf4c78e967c056eaa692f9a09627f2a267e23a75366

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu872F.tmp

Filesize
46B

MD5
23b45a4a80d69116cac99a305dd43bb8

SHA1
1c92ca0f323ef199f55ac1b6bb81677d819a638c

SHA256
df264eee3e425c226ea7a06a95ae43f92858a84465f456956e35a906887d49e6

SHA512
a7c38a32dae130b9768b178218e41d15ada802c4a01e77fef8d5760ef37c187d12048a2706a6137de732345e94bdfb7861545d36b09cca9a61acd8331a581833

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu872F.tmp

Filesize
55B

MD5
4346ab6b2caa149a1b0bb520823e67d0

SHA1
19ecab5f2a87ffec7c66f683a58dbc3327004933

SHA256
4045cefd799302ac6cf890d93598d0d68da61e586298c37a82660f3e1af2ee3c

SHA512
517ac4c06e37896692b495ccc43e7c89fbbf67884860a00acc6211cc28ff950b841180f393c8ee92d607a67a90d3edd218770107a03880a7623b3af1dd488434

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu881A.tmp

Filesize
7B

MD5
67cfa7364c4cf265b047d87ff2e673ae

SHA1
56e27889277981a9b63fcf5b218744a125bbc2fa

SHA256
639b68bd180b47d542dd001d03557ee2d5b3065c3c783143bc9fb548f3fd7713

SHA512
17f28a136b20b89e9c3a418b08fd8e6fcaac960872dc33b2481af2d872efc44228f420759c57724f5d953c7ba98f2283e2acc7dfe5a58cbf719c6480ec7a648b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu881A.tmp

Filesize
8B

MD5
c3cb69218b85c3260387fb582cb518dd

SHA1
961c892ded09a4cbb5392097bb845ccba65902ad

SHA256
1c329924865741e0222d3ead23072cfbed14f96e2b0432573068eb0640513101

SHA512
2402fffeb89c531db742bf6f5466eee8fe13edf97b8ecfc2cace3522806b322924d1ca81dda25e59b4047b8f40ad11ae9216e0a0d5c7fc6beef4368eb9551422

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu881A.tmp

Filesize
10B

MD5
9a53fc1d7126c5e7c81bb5c15b15537b

SHA1
e2d13e0fa37de4c98f30c728210d6afafbb2b000

SHA256
a7de06c22e4e67908840ec3f00ab8fe9e04ae94fb16a74136002afbaf607ff92

SHA512
b0bffbb8072dbdcfc68f0e632f727c08fe3ef936b2ef332c08486553ff2cef7b0bcdb400e421a117e977bb0fac17ce4706a8097e32d558a918433646b6d5f1a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz826B.tmp

Filesize
11B

MD5
bad78a997013818e85c1091ce1f575e0

SHA1
fa7b6b576c9b365194a222dfd1d3805121544fd3

SHA256
e40f87ab67d67e6a7c1784127b0bdeaa1a053cbc50cbb8155cb469016537513d

SHA512
c2f336b68df9aa5234282eb83c042ff87a0187cbd903739bbcbedd6c30be7807d9cd40f97ccd0196d5bdc84833b796197a832687e99da48f1d370d3875bface4

Download Submit
C:\Users\Public\Desktop\Varda.ini

Filesize
33B

MD5
340ad700cf73b73ea2313c044d40ea9a

SHA1
9b90cc3147d140fa936e308c2c320bdc385da93a

SHA256
55a2b8f5ef1d17023fd8245e69830cc961c0ce629eddc7ac1043c288cb3915b5

SHA512
4b31d10b80ae71197ac367c868569949224a4cd542bf0e9c188b816348ec8958f952525f939c827bddc8610f268dd12e310d6d2fc99071c741b3a38e062542b4

Download Submit
\Users\Admin\AppData\Local\Temp\nsz849E.tmp\System.dll

Filesize
11KB

MD5
7399323923e3946fe9140132ac388132

SHA1
728257d06c452449b1241769b459f091aabcffc5

SHA256
5a1c20a3e2e2eb182976977669f2c5d9f3104477e98f74d69d2434e79b92fdc3

SHA512
d6f28ba761351f374ae007c780be27758aea7b9f998e2a88a542eede459d18700adffe71abcb52b8a8c00695efb7ccc280175b5eeb57ca9a645542edfabb64f1

Download Submit
memory/2468-621-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2468-625-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2468-626-0x00000000014F0000-0x00000000046EA000-memory.dmp

Filesize
50.0MB

Download
memory/2468-627-0x0000000000480000-0x000000000049E000-memory.dmp

Filesize
120KB

Download
memory/2600-598-0x0000000003A60000-0x0000000006C5A000-memory.dmp

Filesize
50.0MB

Download
memory/2600-599-0x0000000077C21000-0x0000000077D22000-memory.dmp

Filesize
1.0MB

Download
memory/2600-600-0x0000000077C20000-0x0000000077DC9000-memory.dmp

Filesize
1.7MB

Download
memory/2600-602-0x0000000003A60000-0x0000000006C5A000-memory.dmp

Filesize
50.0MB

Download
memory/2600-597-0x0000000003A60000-0x0000000006C5A000-memory.dmp

Filesize
50.0MB

Download