guloader | adf56f3ecfe4c24602fa46f3d844160218b6851cbdfadbf9bd0c26cdcac972ff

Sharing

Copy URL

Twitter E-mail

General

Target

Request for Quotation-password(YmNUzkQ6).zip
Size

1.0MB
Sample

250210-zhl2gsxmb1
MD5

48120e3131a644eb838a0ac10db5b335
SHA1

f5622f5305b091cfbe625ddc2148055836299f03
SHA256

adf56f3ecfe4c24602fa46f3d844160218b6851cbdfadbf9bd0c26cdcac972ff
SHA512

9aecfc04f81cc03fa5ace8501a34e41db5c11ac0b9c8624fb9edbefb3e4cbca0aef3105e33d5cc33b23940d8fd6ff089eede09f075bee4c34fd3c7ce06ed7479
SSDEEP

24576:KDlm6cHito6uy2ww/btGQSgpI+to7rsGQ+7YCtPw:KUHjy2N3Sb+Es3+TtI

Score

10^/10

Malware Config

Targets

- Target
  
  5cff833cda140c94102c03839ebfbfbe7ccd8402fc8ced1d1c3ee43441ecddb0.eml
- Size
  
  1.0MB
- MD5
  
  39d04d023805b8d85d484f69eb311755
- SHA1
  
  b859e0b0ca718e7e907afb00201d4076c3a7d739
- SHA256
  
  690399f94d9c41cc62ec218ffb47c998bdf671f4a6bc4431d070d16696ba5c64
- SHA512
  
  a19bd818d4294ead0790eabf7e632a3ec7ebdd1a422285d0ecb2b8084e9654ce22fc49eaabc37d80abdf60e230d77864fa8028de438cbe9baf4d9ba57ed1dbbc
- SSDEEP
  
  24576:pVxkAQ3+V3cgwODcbgibt0TNx4W5jWIgcEsh5EA1HkIMS5rx:xZQO9MzrCTN8It1sAx
Score

8^/10

discovery
- Downloads MZ/PE file
behavioral1
- Target
  
  Request for Quotation_TT10102025_pdf.txz
- Size
  
  745KB
- MD5
  
  a787fb9148d780d288fe001a294df246
- SHA1
  
  7e7f638b8c51f44836c70bee53672e4f6fbf1980
- SHA256
  
  fac8faa522eb3ee0f654903444415c8d45904296a3cea38f0208070386888caf
- SHA512
  
  4b9989c97707043c0be040b42443f0bc07524e53c542bb4909ad641d42e0d5c693470a55f8ced109c5dc8ec17d6e62f8d816679ea285d2f58de7081ba3c81e7c
- SSDEEP
  
  12288:3hCYGnbd7LB0vL3u84okQPjz7VkPPWoc+1KH23TJVaH6sxJQcaF7C6:3kYKh7V0vL3zZPRdox53Hm6
Score

1^/10
behavioral2
- Target
  
  Request for Quotation_TT10102025_pdf.exe
- Size
  
  867KB
- MD5
  
  cc927d1efa24a3e2bbce49f12c3398b3
- SHA1
  
  cddc057ccece5b12599120e3a39d0f0d16e24082
- SHA256
  
  edbd20bf11d0af152bf3e62450f012f95a2068664e90b7384929732c0dca5cb5
- SHA512
  
  a941f0d338b2ab60d32bd2106bbdb86614e93d160eaf50e0c74a34435d5f8f2cc019b822f8595c7e24c9050687fca4b7d585c8bf166b3a1386182a839454f21a
- SSDEEP
  
  24576:Q4nbY9dZZZZZZZZZZyHsAmOaLH2xihEzJvvV3HQmhQ436/zu:Q+qZZZZZZZZZZ+sApE5hEzJvv1wzq6y
Score

10^/10

guloader collection discovery downloader spyware stealer
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Downloads MZ/PE file
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral3
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  d6f54d2cefdf58836805796f55bfc846
- SHA1
  
  b980addc1a755b968dd5799179d3b4f1c2de9d2d
- SHA256
  
  f917aef484d1fbb4d723b2e2d3045cb6f5f664e61fbb3d5c577bd1c215de55d9
- SHA512
  
  ce67da936a93d46ef7e81abc8276787c82fd844c03630ba18afc3528c7e420c3228bfe82aeda083bb719f2d1314afae913362abd1e220cb364606519690d45db
- SSDEEP
  
  192:acA1YOTDExj7EFrYCT4E8y3hoSdtTgwF43E7QbGPXI9uIc6w79Mw:RR7SrtTv53tdtTgwF4SQbGPX36wJMw
Score

8^/10

discovery
- Downloads MZ/PE file
behavioral4
- Target
  
  Axonolipa/pinacocyte/starving.jpg
- Size
  
  21KB
- MD5
  
  2475386fd6465cb63552c04518117cc6
- SHA1
  
  5962256529202cca6a2e643bfdad222346d69f8e
- SHA256
  
  239ec6d95e63166c4dc153e96593619c58e58578be24c85f10ac0a81fe9bdda7
- SHA512
  
  d50bd6a82ba31d495ed031d4db484a002d7edc4ac5ea7754eab1ccfefd93a84cc3252dee4b5a2bb610b4e9491c3c3a8e8425fe0c402aaee30964455836dcc635
- SSDEEP
  
  384:vw8+ayqZ4ALy8VWjmIZvsp0eeaILupt6JnHovz+KlNSjuIh2aXBTonNRWG:vw8+5Au8Qw0naoupmhh2U0NX
Score

1^/10
behavioral5
- Target
  
  Axonolipa/pinacocyte/statuerne.ini
- Size
  
  6KB
- MD5
  
  3831c556867d436a133a9b5fdf79684b
- SHA1
  
  13ae2213b073f3196abb859e38f83f95555b3938
- SHA256
  
  78a17c216a3bf8284794d00947540106614d492d316c77551f4ef1ba6c5c0a62
- SHA512
  
  2d52b046644156640f2fbf925c1bbf6b3711c1f0aa884382ae7f7cccde950faa308ad2e25f70c8c8dc4a3462cd874204fbf1cb07f6e96e08e2fd3c1e5fdeba92
- SSDEEP
  
  192:LmUYxmVeZsegZLmEg6wDlUacWkDzGaJIPSTSI:yxQemZLzg66lqDyavSI
Score

1^/10
behavioral6
- Target
  
  Axonolipa/pinacocyte/tatarisk.jpg
- Size
  
  65KB
- MD5
  
  253fba4328c0bd2a6a545b30a3eb2774
- SHA1
  
  7fe8f395af1d8830f75e7e745aeb2cdde9f0e061
- SHA256
  
  600306a1abc1cb0582dc243c1488739470f08244fac2576714b3503c6059cb19
- SHA512
  
  046cb1b41f366b88960afe4eb841fdb07ab4ac76627141149c0202111912f8df2c13182d5fe8b7afed553920bfb60bc0a496aad138bb9f18f1515a6e5f59756e
- SSDEEP
  
  1536:MQJM3Mn2nS9V8F1ybMLoh7C6dwFRWjVlcc3YWw3twgMkNfTr1:TJM3Mn2n88FMMXewFRecKYTr1
Score

1^/10
behavioral7
- Target
  
  Axonolipa/pinacocyte/udsortering.jpg
- Size
  
  11KB
- MD5
  
  93066b05f4d44458fca79ae8f224eb61
- SHA1
  
  53aed2782bdced333a43b4ba2e44626be9523a7d
- SHA256
  
  d201c46604ea15c19901f24f0effc0e0c1092b20a979ddbbf44775aea7114400
- SHA512
  
  12d6f4cb1f2a5f6ac4dd4994317ca3020bedd4f51b2ed8cc5a2a1bd684d9b8a1914f0645754578ca8c45ae531cab09ab9b21b9d471481eab42e283ce172044db
- SSDEEP
  
  192:L1qavgSgIA/UZ1bEqNSc6nEKFL+2Q8TPwnMPW/77/JC6eRz+3E37HAYCRn:JXvgSgIuUkc6nEuS2Q8TPwn8o7YW/p
Score

1^/10
behavioral8
- Target
  
  Axonolipa/pinacocyte/undisposed.aff
- Size
  
  199KB
- MD5
  
  dd342206ff527188a6c6170732d0546a
- SHA1
  
  3557869f7de168b288da8386a1ef6db5e2477fc9
- SHA256
  
  f5c8afdd60c6c815f21560765af73ede0da98573a9da398467abdce30e994c9b
- SHA512
  
  421b988bc9d5356f402cf4bae5816e78cd28d35931c0667ce7947b06b65131f5e95adad485a11564c5c8627ac7fe279452ebad1b917e0fec53796c913f19ad74
- SSDEEP
  
  768:WXmsv9pSjlQaOvcHQi1qS+9i5JytPRctWMP7yOWS7twXm8kQhMjORtOyc1oH27xH:sqYcPpyRYDNVE4F9x
Score

3^/10
behavioral9
- Target
  
  Axonolipa/pinacocyte/urremmenes.jpg
- Size
  
  6KB
- MD5
  
  4ea3437e960b9e8f828b52d8d4f3f1ab
- SHA1
  
  b3320414e43ec606e7dd397a365bfcde9a794008
- SHA256
  
  15107dddca248ed0d61a5e1e38846406e3605bb49042d7c9f98c54bc8c00d0fc
- SHA512
  
  da0be4d89c7afc5f2cdeac99affa420107b2aaa1ad9393c87506c09b062367329e30e796677939e76f0c8f8f8c924af309c7f0fbebfc6d249fa9cfadfb6988b6
- SSDEEP
  
  192:LmUYxmVeZsegZLmEg6wDlUacWkDzGaJIPSTSj:yxQemZLzg66lqDyavSj
Score

1^/10
behavioral10
- Target
  
  Axonolipa/pinacocyte/wollock.ini
- Size
  
  14KB
- MD5
  
  014e3a9b91f05d3500163479b611d3b8
- SHA1
  
  54fe4cc79edc9158616d5067516ec3ac21e68f06
- SHA256
  
  44693d40851185e37036c2164e23850dc7ad163b55ac0289d7b11ab3257164c5
- SHA512
  
  effe15a7a31cc924bd48871a89b83cfd27f4c04a548e6bfdf14f78f0db34e109287121b11640cddaf756314da82316cb06ae59bb6a9181a2030f5253ff9931e4
- SSDEEP
  
  384:JXvgSgIuUkc6nEuS2Q8TPwn8o7YW/jHgNi:J/sUZUEu1Qht7Y2L
Score

1^/10
behavioral11
- Target
  
  Axonolipa/prud.jpg
- Size
  
  58KB
- MD5
  
  5c84afa67cd76d69e53e6e8af66eb94a
- SHA1
  
  786e28bce32c44e621bbd1390a2f55e08a6b6ae1
- SHA256
  
  0e75c6649c3a5b5a7e590c6fb72048c8da6cf5095222fb72ad2e51528c62b2dd
- SHA512
  
  9543b72abc6a9ccf1a2b6bc3f383facfc73ce55a79e59537fa4aa1351e8e08541ada34949f4f42b7244f681c8e3958561987fcd423cbad8599d217ab2a3e25f9
- SSDEEP
  
  1536:UmJekwHrnQiUOTxPs1aLh3VMeV8lTCw8dGsBs7TdMZUzoUoR:pgLhlBF7Tw8osa7TdMZUEUO
Score

1^/10
behavioral12
- Target
  
  Axonolipa/rgerrig.txt
- Size
  
  13KB
- MD5
  
  ded55c4e40d3bb009f6d039c604786e9
- SHA1
  
  8ca3d9c7f53f3cc2afd3a1efe10e79d265747dcd
- SHA256
  
  41e704df5363ec94adece028466fc7b8cc8ae4753bc5e722871497c759e60f81
- SHA512
  
  6ba2152bbefdf8cb07bc063c460ab909ad65033a3f51e796c22a9529867d7d81bb0ad05b2bcee7606a6eccb7bf4a11b70603a5f574d1733c4615fa8c0fd2b202
- SSDEEP
  
  192:L1qavgSgIA/UZ1bEqNSc6nEKFL+2Q8TPwnMPW/77/JC6eRz+3E37HAYCRuCeKchK:JXvgSgIuUkc6nEuS2Q8TPwn8o7YW/jH/
Score

1^/10
behavioral13
- Target
  
  Hetairas/Skrabnsespils.txt
- Size
  
  12KB
- MD5
  
  c16d7e9cdd76e6c6a6c2c55a3df4c22f
- SHA1
  
  a8ff93f63cef29df4dc4c9908a98b39cfe2d0f77
- SHA256
  
  fa7b89de19926538de22efffa7556d3b887804b9ee59481efe13042ebc2a7622
- SHA512
  
  dbee6c0092d6dcdd38b1e782fb862d09a93fecc722e16240e531c53f9b6d83d1c8313cf927ce89d74fc9371e2f5cfec88a98b0a8fa0b5d36a6e5cb85b0a533fc
- SSDEEP
  
  192:L1qavgSgIA/UZ1bEqNSc6nEKFL+2Q8TPwnMPW/77/JC6eRz+3E37HAYCRuCeKc5:JXvgSgIuUkc6nEuS2Q8TPwn8o7YW/je
Score

1^/10
behavioral14
- Target
  
  Hetairas/Vivacity.Ove
- Size
  
  128KB
- MD5
  
  1b911424ddeb8feb6d284ab17d8444ad
- SHA1
  
  8a2ecb5b78d23855e86f7d78e232482c2497c850
- SHA256
  
  526786cac3bc3160f1bcce8f396e95f9a698a7cfa5f05c3319965fa9250347b0
- SHA512
  
  d7935245ea41e6308e52ba38143be7d6b342642186d2c9d550f95e8af81e2322d8d90a82f07c942aa1905ef0a672fe08d4b1fb7d2c51ebd49a96f295345eb3c2
- SSDEEP
  
  1536:D2FNb5L/ODKN1zKagjK23JWm73jpDmxCQcYZimTu3e1GK3jEn4vG:qFhu88vO23Jn7TpDQcYZgwl3jRvG
Score

8^/10

adware discovery persistence privilege_escalation stealer
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Downloads MZ/PE file
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Installs/modifies Browser Helper Object
  BHOs are DLL modules which act as plugins for Internet Explorer.
  stealer adware
- Drops file in System32 directory
behavioral15
- Target
  
  Kierkegaardske/Afvarsler.Voc
- Size
  
  261KB
- MD5
  
  e1952b65b5492ae819e2094798fc7ee0
- SHA1
  
  4a0798b2157e8f4aa2d48f593f2fedb8f5534393
- SHA256
  
  2e0361f0e95687ce8aa8a99e3b47a2566e6181b6281eaf14866695da397618e8
- SHA512
  
  73f08396e28d4e6fe145c62b5f56c40aeb3c7c80d9e407f02f4ac1f3fa90fe7e9137c2a904fe28bf6965f90f3b47a0745ed4b1aee0e7a97948ad749ebd647dd2
- SSDEEP
  
  6144:jeOAbR+HadZ7/HmNaB/FhPwahOGzi+TFxzrFg6MhkgAQ3cw11:j/U+aFeNkPrhFTEhTAQ3cw11
Score

8^/10

adware discovery persistence privilege_escalation stealer
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Downloads MZ/PE file
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Installs/modifies Browser Helper Object
  BHOs are DLL modules which act as plugins for Internet Explorer.
  stealer adware
- Drops file in System32 directory
behavioral16
- Target
  
  Kierkegaardske/Lithotriptor.huk
- Size
  
  184KB
- MD5
  
  f342e7ba488be2ac57bb244f6048bb39
- SHA1
  
  7c3121e57e1b8cf1e9bd7836b7ba3161418220d9
- SHA256
  
  8d060a3f682c8d5b044dae09b37afda95cb21753bbb23f7a5b0dc2c8e4f63762
- SHA512
  
  1b0cffcfb59c8bb0b2ead98e22c7a25f4c70444fa4f747df3ba4096a1415f7d8bc4e5c4992937a3d3a7fef7d1a5c20da38361cfd3f824c242f07d299b4b7d888
- SSDEEP
  
  768:IucEIs7WGo6HKuvpy6wIG5fNvBoJKc5ius4Ky9KqSGzMM4ClF0oHXpOKm9rD3QcM:J1JGpI5fKGKMVftlYXIL8y
Score

3^/10
behavioral17
- Target
  
  serpently/linielngde.pro
- Size
  
  330KB
- MD5
  
  3c9245261ab5761879ee306e1f5fd738
- SHA1
  
  5d39971ba7fc8c1a840b772b3f0970656770ca8b
- SHA256
  
  af7641e47f4ae7bb1720749ac9c8d9bc00586a88aabfc8da07ab33850f1ac664
- SHA512
  
  87325164fda0f2d76856d08565aefa4b02540f85d16ee723224dec34a3b73f3b264cf510a45cefc9ddab6cce508dd11dfc36a0e8d52f8bea927b2e5b7a0a494b
- SSDEEP
  
  1536:GepnQBvtfYcZNZRoH8bZHp4oI0kQkYiPGN:TpnUVf7XPDcolbkYiPA
Score

8^/10

discovery
- Downloads MZ/PE file
behavioral18
- Target
  
  serpently/nacry.ini
- Size
  
  11KB
- MD5
  
  d238caece8765bf9760626569559bf74
- SHA1
  
  a2f3aa1bb52db3315b83fc1a830cb45b725f88f6
- SHA256
  
  426e8b9e2fac611da0286e2f41ec92b725ad2e4d8b9c2b87718ef81f9281390d
- SHA512
  
  0de0df60ddcbf02cc313ae836848dd8e079e3cc68cd5980bfeb1257443924aa70196c727c32d2923c090dcac2bd7a932da5315c3a3206f52f9966ba2abd9e189
- SSDEEP
  
  192:L1qavgSgIA/UZ1bEqNSc6nEKFL+2Q8TPwnMPW/77/JC6eRz+3E37HAYCRuA:JXvgSgIuUkc6nEuS2Q8TPwn8o7YW/7
Score

1^/10
behavioral19
- Target
  
  serpently/opvkkede.ini
- Size
  
  13KB
- MD5
  
  36fcd7598115fda310bc57936d594a17
- SHA1
  
  3486b8ba6ab5719af1eada21fe6e090adceeb0e0
- SHA256
  
  d6c9dadc5dcfec9e635c54e1dd3ad5b9454e44ea6968e5ec28fc3908a99552aa
- SHA512
  
  37772c27e1b907c460273c46916cc00651c22d1e0aacf1535db05ced7c8ced0a6d5a660a6538dd00655d1ef1011fb5dc127c46e2057b4057952c6c94531cf031
- SSDEEP
  
  384:JXvgSgIuUkc6nEuS2Q8TPwn8o7YW/jHgd:J/sUZUEu1Qht7Y2e
Score

1^/10
behavioral20
- Target
  
  email-html-1.txt
- Size
  
  29KB
- MD5
  
  9faaa98c874aad1ffb728ad4742ac742
- SHA1
  
  2d19e9db61931b603f7a73576bdb215d7c453aaa
- SHA256
  
  98978f7f19737b9781bd94970ae83a388a3aec6d9133899c20769ee90e253977
- SHA512
  
  5598a2c288e9c69c6a1c45298c6a06bcf7fd247b5e428bb5061a53e5502eaaa9cb45fbca5eecb4b0f3a109d8b96f9b9af418a5c9cfcaa8cfbcbf2103b223be9c
- SSDEEP
  
  768:IyoLQVLsz0qdOYm5T/sCEn75+NtWtXdCH+jDfRYEFEYQ:Ix8xwALT057ENUKHaGcQ
Score

8^/10

discovery
- Downloads MZ/PE file
- Executes dropped EXE
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral21