Overview

overview

10

Static

static

3

Purchase O...df.exe

windows7-x64

10

Purchase O...df.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PurchaseOrder_FEB2025_pdf.txz

  • Size

    719KB

  • Sample

    250211-syxplazkfs

  • MD5

    37172917097b05f122e625b0a35147c7

  • SHA1

    e2a5317f4293b68d8f92cedf5d85ac55171da81b

  • SHA256

    1281c7edbd3003e675c2dcfe9087405813f1bce2edb1af8f5551b4dcb120bbc7

  • SHA512

    f150df31dc602c5fa39420e887694df360f3b76c190fadf5b7c6ec631b6ad25a7d760262769f040ec1ed10501480acbb47c86834e8690d6c6e14b0bb5d13abf1

  • SSDEEP

    12288:QT6V6/821r6iAmw8jGUo0NOYct7BgZcv83qB4b1e4GC81Mm6sJbYcUUkv56hC4hy:V6/F1rLHjGqkY2iAaqebZGHMGUUkQhC/

Score
10/10
guloadercollectiondiscoverydownloaderspywarestealer

Malware Config

Targets

    • Target

      Purchase Order_FEB 2025_pdf.exe

    • Size

      1.0MB

    • MD5

      9054f467db1180f7991ba2d42a754f59

    • SHA1

      104f702513021faf28cf4e641b12e21fb5f1e4b6

    • SHA256

      251ad36ce2fa611f2f94c6a90fddca59d881e48c8a4fd3ef892d803996742e12

    • SHA512

      91159fc0b760c602e8f66c79dff80428a36b652ffc63495222d0665256cbab3307b3cf498a3eea0aed8a7ae025c3f8c516aa246a9583c93b0d48bef3cdef5731

    • SSDEEP

      24576:LzOEC045stTUHEd6OQfazVGfCANG5Hgaph:eEeKtTUHo6OQSrXNg4

    Score
    10/10
    guloaderdiscoverydownloadercollectionspywarestealer

    • Guloader family

      guloader

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      3f176d1ee13b0d7d6bd92e1c7a0b9bae

    • SHA1

      fe582246792774c2c9dd15639ffa0aca90d6fd0b

    • SHA256

      fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

    • SHA512

      0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

    • SSDEEP

      192:OPtkumJX7zB22kGwfy0mtVgkCPOsX1un:/702k5qpdsXQn

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks