guloader | 0cd8b00f33a98cc494f251b51a95d4454f2bee979dbee98555accee3dfe37db4

General

Target

12022025_0209_2435433.exe
Size

935KB
MD5

b2133aba6fde5e6b68bb3f5b1ed8ed29
SHA1

cce05c4dfe8286601e5e36d1d2f2486758cd53d1
SHA256

0cd8b00f33a98cc494f251b51a95d4454f2bee979dbee98555accee3dfe37db4
SHA512

3c51c879a3fdeff67b2b29a08fb0c48cfd83a4331832313c75df692fd429d89e24481c67ed7829a9de3c01c3ebabcd0d42459bbd3fa5b5713545568543bd1813
SSDEEP

24576:8s2NlZQ0XKoayZAMMOKjgfWmVRpkVoJfCMoU8Z1A:glZQdoayZ6YW8lCLU8ZC

Score

10^/10

guloader discovery downloader

Malware Config

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Downloads MZ/PE file 1 IoCs

flow	pid	Process
23	1948	Process not Found

Loads dropped DLL 6 IoCs

pid	Process
4824	12022025_0209_2435433.exe
4824	12022025_0209_2435433.exe
4824	12022025_0209_2435433.exe
4824	12022025_0209_2435433.exe
4824	12022025_0209_2435433.exe
4824	12022025_0209_2435433.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
16	drive.google.com
18	drive.google.com
33	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4732	12022025_0209_2435433.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4824	12022025_0209_2435433.exe
4732	12022025_0209_2435433.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12022025_0209_2435433.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12022025_0209_2435433.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3352	MicrosoftEdgeUpdate.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4732	12022025_0209_2435433.exe
4732	12022025_0209_2435433.exe
4732	12022025_0209_2435433.exe
4732	12022025_0209_2435433.exe
4732	12022025_0209_2435433.exe
4732	12022025_0209_2435433.exe
4732	12022025_0209_2435433.exe
4732	12022025_0209_2435433.exe
4732	12022025_0209_2435433.exe
4732	12022025_0209_2435433.exe
4732	12022025_0209_2435433.exe
4732	12022025_0209_2435433.exe
4732	12022025_0209_2435433.exe
4732	12022025_0209_2435433.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4824	12022025_0209_2435433.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 4732	4824	12022025_0209_2435433.exe	88
PID 4824 wrote to memory of 4732	4824	12022025_0209_2435433.exe	88
PID 4824 wrote to memory of 4732	4824	12022025_0209_2435433.exe	88
PID 4824 wrote to memory of 4732	4824	12022025_0209_2435433.exe	88

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource core
1⤵
- System Location Discovery: System Language Discovery
PID:3304

C:\Users\Admin\AppData\Local\Temp\12022025_0209_2435433.exe
"C:\Users\Admin\AppData\Local\Temp\12022025_0209_2435433.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Users\Admin\AppData\Local\Temp\12022025_0209_2435433.exe
  "C:\Users\Admin\AppData\Local\Temp\12022025_0209_2435433.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4732

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NTAyRDhENjMtOUQ5RS00RkY5LTg2Q0QtNzIwN0JEODZGQjhFfSIgdXNlcmlkPSJ7Mjc3QkI1QUQtOEI5NS00NTY0LTk5NjYtM0I0M0FBM0Q3RDdEfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RTM2QkZCQkItREJCQi00MkQyLUI0QjktMDg5NEQwQkM3QTg5fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIwIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMyMzYiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDI1MTE0ODAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NDQ0MjkyMDM2Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
360KB

MD5
6dbb17758874ceb4f82417686e3dcd38

SHA1
0444058afd32ab03845065ffbc82cf44a21ea22a

SHA256
764084a3d21bbcdb426c458e0be98bf07484f4b4ecc46230746d5c24903f4e46

SHA512
3b3d3eb7237a141d0ada70bf7c3021a2451830393ef2d5ed22f3ef81e94540ddb8511f6ff532aed7c05e3091aa6502f6bcb9540810a62806848cd0700c560dea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\furriery.ini

Filesize
38B

MD5
b1ef763e50c5aabcdf24507256cdecb5

SHA1
544323e0812a2d71bc5e156e42bbe25f6082afab

SHA256
65724906ac58f577bd6b805237a1d03107bd94276121ef81e1fbfd368672abb4

SHA512
71c29b23cc8d2f16bb9f4667d25a7d01cf593134425359fc735c6056d154addb113dce0a9899f90d0dac4b3e46a3849fdee9190f3bf067fdba3b89f5b1170c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4A15.tmp\LangDLL.dll

Filesize
5KB

MD5
b21a3377e66b941df6d5b7cf8ba7a43a

SHA1
e7ed27fce2db9cdc11ca3c640806731dcef3864a

SHA256
ba46a03088f690ce966043f49761ff3a3a0dca236160794de841dfecc3588d1e

SHA512
f011a824c0ff7f87c6da112898f4afc87e12c5b39fb40ffcc0955012e79a4302597d892224b3b47e8143480605c73275d3799d6d2000cdf179c2912241f86916

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4A15.tmp\System.dll

Filesize
12KB

MD5
792b6f86e296d3904285b2bf67ccd7e0

SHA1
966b16f84697552747e0ddd19a4ba8ab5083af31

SHA256
c7a20bcaa0197aedddc8e4797bbb33fdf70d980f5e83c203d148121c2106d917

SHA512
97edc3410b88ca31abc0af0324258d2b59127047810947d0fb5e7e12957db34d206ffd70a0456add3a26b0546643ff0234124b08423c2c9ffe9bdec6eb210f2c

Download Submit
memory/4732-69-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4732-50-0x0000000001660000-0x0000000005BD7000-memory.dmp

Filesize
69.5MB

Download
memory/4732-51-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4732-54-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4732-70-0x0000000001660000-0x0000000005BD7000-memory.dmp

Filesize
69.5MB

Download
memory/4732-71-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4732-72-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4732-75-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4824-49-0x0000000073CB5000-0x0000000073CB6000-memory.dmp

Filesize
4KB

Download
memory/4824-48-0x0000000077591000-0x00000000776B1000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing