guloader | 5aa8f85f8780482e7b5a44b3959002db8c003393c79db95a3797173a4ab4b182

General

Target

Maanedskorts.exe
Size

1023KB
MD5

cb2f4cdcccc338388de5a9c3e9650586
SHA1

6118a309dd65c6f4f09ea28495976717db36888f
SHA256

5aa8f85f8780482e7b5a44b3959002db8c003393c79db95a3797173a4ab4b182
SHA512

4a321953633c04ae3ef6d1a26b1bc3b8a12fd595b7ed674efe55dd8b51786b6e58311a5c9807b918d125749c1269fa3ca3f7cba116ee81cd12340308d4640756
SSDEEP

12288:lt010XA+kmlZ5eTSKD0FlylTie8IEb5qNQ2FyrGk7WEIxtO40EPfwia+wPrs09iQ:NtLj2oC8ZtqNJF+GrLvOmf8o06S/n

Score

10^/10

guloader discovery downloader

Malware Config

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 2 IoCs

pid	Process
2400	Maanedskorts.exe
2400	Maanedskorts.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
5	drive.google.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	checkip.dyndns.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
3068	Maanedskorts.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2400	Maanedskorts.exe
3068	Maanedskorts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maanedskorts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maanedskorts.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2400	Maanedskorts.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3068	Maanedskorts.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 3068	2400	Maanedskorts.exe	32
PID 2400 wrote to memory of 3068	2400	Maanedskorts.exe	32
PID 2400 wrote to memory of 3068	2400	Maanedskorts.exe	32
PID 2400 wrote to memory of 3068	2400	Maanedskorts.exe	32
PID 2400 wrote to memory of 3068	2400	Maanedskorts.exe	32

C:\Users\Admin\AppData\Local\Temp\Maanedskorts.exe
"C:\Users\Admin\AppData\Local\Temp\Maanedskorts.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Users\Admin\AppData\Local\Temp\Maanedskorts.exe
  "C:\Users\Admin\AppData\Local\Temp\Maanedskorts.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsdBEAF.tmp

Filesize
74B

MD5
16d513397f3c1f8334e8f3e4fc49828f

SHA1
4ee15afca81ca6a13af4e38240099b730d6931f0

SHA256
d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36

SHA512
4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoBEF0.tmp

Filesize
23B

MD5
8c367f7037d83ec5fc0be4bcd16dba9d

SHA1
0efc8b29b482afae9aaceef0d80a138ab9b527a9

SHA256
6f470f6196119f505cd2d1b132c50c06fd6522bbd6ffc95b992212093221b637

SHA512
356e4ee6b5572b174084957b61e2aaea850486e2c087b87019bcb7565013d86aadffdc1f3e70ec4c77be108519ce312a2db1896584a738d631c190c03f5fec56

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoBEF0.tmp

Filesize
52B

MD5
5d04a35d3950677049c7a0cf17e37125

SHA1
cafdd49a953864f83d387774b39b2657a253470f

SHA256
a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266

SHA512
c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoBF40.tmp

Filesize
56B

MD5
5015c6424cab5d21d05f629104a2f8e8

SHA1
74ed0c9b417364680256e0fa7165f20975314ab3

SHA256
0670f12f85b13a6765c3958e2e5e014c9c1ca702c3a183b7fcbffc7525ecd72e

SHA512
cf2abdf27526c33b69f5aa87b6c3825a29d41ce659403da79ba53fbca108ac8ed58b2c7b15b3e2f44aefd2500ea8260491f790d328253a4f208cc0f08d9a30c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoBF8F.tmp

Filesize
30B

MD5
f15bfdebb2df02d02c8491bde1b4e9bd

SHA1
93bd46f57c3316c27cad2605ddf81d6c0bde9301

SHA256
c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043

SHA512
1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyBF2F.tmp

Filesize
60B

MD5
f3d57f278ae2fa91066e3407aabc5ac8

SHA1
0d23896da45b4d6f6257c6674910eb5c18125224

SHA256
e2953d4dd8a4a065e1bc25b6da1c7ee66e3a352419f34201c3e8cfe75dde5981

SHA512
c636a4fe2829e931ef3e32b08ff298fc68c041f05161ea1e7f1872b764ee1663d78907c1c42097e9ea8adab952d0eebc0260f4c3091a935cf760f5f287517877

Download Submit
C:\Users\Public\Desktop\Varda.ini

Filesize
33B

MD5
340ad700cf73b73ea2313c044d40ea9a

SHA1
9b90cc3147d140fa936e308c2c320bdc385da93a

SHA256
55a2b8f5ef1d17023fd8245e69830cc961c0ce629eddc7ac1043c288cb3915b5

SHA512
4b31d10b80ae71197ac367c868569949224a4cd542bf0e9c188b816348ec8958f952525f939c827bddc8610f268dd12e310d6d2fc99071c741b3a38e062542b4

Download Submit
\Users\Admin\AppData\Local\Temp\nsjBED0.tmp\System.dll

Filesize
11KB

MD5
7399323923e3946fe9140132ac388132

SHA1
728257d06c452449b1241769b459f091aabcffc5

SHA256
5a1c20a3e2e2eb182976977669f2c5d9f3104477e98f74d69d2434e79b92fdc3

SHA512
d6f28ba761351f374ae007c780be27758aea7b9f998e2a88a542eede459d18700adffe71abcb52b8a8c00695efb7ccc280175b5eeb57ca9a645542edfabb64f1

Download Submit
memory/2400-597-0x0000000003F10000-0x00000000050F1000-memory.dmp

Filesize
17.9MB

Download
memory/2400-598-0x0000000076E81000-0x0000000076F82000-memory.dmp

Filesize
1.0MB

Download
memory/2400-600-0x0000000076E80000-0x0000000077029000-memory.dmp

Filesize
1.7MB

Download
memory/2400-599-0x0000000003F10000-0x00000000050F1000-memory.dmp

Filesize
17.9MB

Download
memory/2400-602-0x0000000003F10000-0x00000000050F1000-memory.dmp

Filesize
17.9MB

Download
memory/3068-603-0x0000000076E80000-0x0000000077029000-memory.dmp

Filesize
1.7MB

Download
memory/3068-604-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/3068-624-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/3068-625-0x00000000014F0000-0x00000000026D1000-memory.dmp

Filesize
17.9MB

Download
memory/3068-626-0x0000000000480000-0x000000000049E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing