General
-
Target
12022025_0210_2435433.GIF.rar
-
Size
975KB
-
Sample
250212-clwzjaxjal
-
MD5
624cc04012540e0171c55091d72a4219
-
SHA1
af2fcfa2044e6f60aaea45ab50af069a3643901c
-
SHA256
41063585eec1a621b5bc4a18f0d3357ce0ef525e3da21ed00c48fd00c9995a26
-
SHA512
459c27b9111a585c4238f349ef03abf27aaececab14c756f63e4ee988552100f1a895779c11e9e64640d9e87dd85de7a207a8ac5628d1ec092b98a670d8b44d3
-
SSDEEP
12288:u7TW3Zg4OEzihevUVJWuXpCVP7J2SpLZE0r2mVnfZOGwYoX+zBUO7cOoDvvtRTCG:bZDO0aJWuZQ4qFnfZo+zmOoOOTwS
Malware Config
Targets
-
-
Target
2435433.cmd
-
Size
1.4MB
-
MD5
9c9536010d9af231f17acc84538df07f
-
SHA1
67f9f971395e8d8ffcd2568c5ec7b29f4f27d4cf
-
SHA256
27eefc56a98faa80d9c9156d351a99408dd35d2e899a8a3e8b34d56e740f3334
-
SHA512
6f89a9750fd6ca4092ae701b65abcd5ca95bf2e0c2b99403cd4d4ca99c887c3dc40bdffd90cf9c991d20a854b4db16b84e40156380b45ec1be48359f4a8389e4
-
SSDEEP
24576:aindj4JTlehuO9XnxLD8tGAFIVodVWCFL6JCW2pDt4K:j4+Vxqqo5FGA3
Score10/10-
Guloader family
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Downloads MZ/PE file
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Active Setup
1Browser Extensions
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
1Active Setup
1Event Triggered Execution
1Component Object Model Hijacking
1