guloader | 77e15415d2427d168202684e80034c83d83230deee10efe86cf07049af98d77c

General

Target

PAGO.cmd
Size

959KB
MD5

b7819321f80217a516dc2649097a6cc4
SHA1

c35be052ffa3ad243512cafee4034656399f52cd
SHA256

77e15415d2427d168202684e80034c83d83230deee10efe86cf07049af98d77c
SHA512

8fd59280dd6658b6b105936eda91555e6c1f7c0f6b7aebfe3df7c74a6b94db2498acc36d896e31d9de63c8d0073fb25127c249d1c9ca15ba09127f83cb6a6525
SSDEEP

12288:UPCl0t4TkEIroYUI2K/AtBb2d/fNguvEc4sI20geXazMbkJ/i3O2CHaAUwvUbcYG:UKRfcOe4hDgeqzRJ/LLU6WcbTtUi

Score

10^/10

guloader discovery downloader execution

Malware Config

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Executes dropped EXE 1 IoCs

pid	Process
3044	maxthon.pif

Loads dropped DLL 12 IoCs

pid	Process
3044	maxthon.pif
3044	maxthon.pif
3044	maxthon.pif
3044	maxthon.pif
3044	maxthon.pif
3044	maxthon.pif
3044	maxthon.pif
1872	maxthon.pif
2616	WerFault.exe
2616	WerFault.exe
2616	WerFault.exe
2616	WerFault.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3044	maxthon.pif

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\oxyrhynchus\statiscope.ini	maxthon.pif

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2616	1872	WerFault.exe	33

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	maxthon.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	maxthon.pif

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0008000000016fc9-11040.dat	nsis_installer_1
behavioral1/files/0x0008000000016fc9-11040.dat	nsis_installer_2

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
3044	maxthon.pif

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3044	maxthon.pif

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2904	2108	cmd.exe	31
PID 2108 wrote to memory of 2904	2108	cmd.exe	31
PID 2108 wrote to memory of 2904	2108	cmd.exe	31
PID 2108 wrote to memory of 3044	2108	cmd.exe	32
PID 2108 wrote to memory of 3044	2108	cmd.exe	32
PID 2108 wrote to memory of 3044	2108	cmd.exe	32
PID 2108 wrote to memory of 3044	2108	cmd.exe	32
PID 3044 wrote to memory of 1872	3044	maxthon.pif	33
PID 3044 wrote to memory of 1872	3044	maxthon.pif	33
PID 3044 wrote to memory of 1872	3044	maxthon.pif	33
PID 3044 wrote to memory of 1872	3044	maxthon.pif	33
PID 3044 wrote to memory of 1872	3044	maxthon.pif	33
PID 1872 wrote to memory of 2616	1872	maxthon.pif	34
PID 1872 wrote to memory of 2616	1872	maxthon.pif	34
PID 1872 wrote to memory of 2616	1872	maxthon.pif	34
PID 1872 wrote to memory of 2616	1872	maxthon.pif	34

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\PAGO.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\system32\cscript.exe
  cscript p.js
  2⤵
  PID:2904
- C:\Users\Admin\AppData\Local\Temp\maxthon.pif
  maxthon.pif
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Users\Admin\AppData\Local\Temp\maxthon.pif
    maxthon.pif
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1872
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 104
      4⤵
      Loads dropped DLL
      Program crash
      PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

JavaScript

1

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\maxthon.pif

Filesize
622KB

MD5
ff0fdae83407b8ff69f9c665bab0d7d4

SHA1
a6f10986b185a604dd458b9f535a01e3d325bcc2

SHA256
0e3390f3f7bd283296ca3ee73ba5d9cb76d5132ed7d7c17e97789478a8a2f27b

SHA512
72037c874b127b7eeb54594381041fb540185900ab5b937088741ee24750d4fcce7f8df31f753462a302b278ce0799f8c9d22bd315422cb633debc849f800615

Download Submit
C:\Users\Admin\AppData\Local\Temp\p.js

Filesize
454B

MD5
512de64f32a0387d27f0d77251ea264c

SHA1
1f394a3cff8a9c0d7b5126859ec10356b9885cc4

SHA256
fc89b98b929495596a34a2dff20fe6100c79b730d7e5734d0bf7f0c001a5ad7d

SHA512
8b9f78ad373c1e11f441ef6fa9ea1d57776e11a1c0e39bc6de92aeba95a6d0c5228942869abd3e7ff82ca66b59545a9e8c0c5f6281b79baf3dbc7cfd933cabe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\x

Filesize
861KB

MD5
3738d9b4b11a30ab9395879e4ab25587

SHA1
4e51f637c25aec858fe6c80f126685c31f3c9590

SHA256
5898b70fa5caa97424d8ffe51a95b648123bfe8f4a1d844b76d5b398fc59aad8

SHA512
1c0a7361c2c459e3165643df226b1289678b1182097a3cff2cc2d16eddd0866f4e2a639e153b62c1703017e007139db1f8139cc9b36f14d54b0d8e2df28e566c

Download Submit
C:\Users\Admin\AppData\Local\Temp\x

Filesize
2KB

MD5
a6dade489ea536c7536f601b20f38daa

SHA1
db2614253d4a1cc8cf6bf7b1165a09ce88a18b8c

SHA256
b811bbe37e8b80fc8d433402fceddd5c5ecc9db75ed92eea9aa94ae050ae6970

SHA512
e91c6ba174b73b5cbf499d786f34f97991042859fdb66a4b1fefd041d4013dfb033088f69ff8793fe19fec0f734afdbcea074b042831198587bfe9d2507c6b83

Download Submit
C:\Users\Admin\AppData\Local\Temp\x

Filesize
4KB

MD5
78eb10eb6f4cb32466fd6058763c8649

SHA1
89558100fac2d33409f8152d4c7b163a1f03489f

SHA256
a8fa027ddaa121753bbdb61f1f94b768b39c413d387902df4ba368279e60ca1e

SHA512
cf77ebf898b350d9a5fc69e4a5b7766f62a35cd9dd8818c98bf99d0f1bd485ac6e03bb44ebe4acae9c06db1b454127325aaeeaefb4ce4f97a3b426719b8f738a

Download Submit
\Users\Admin\AppData\Local\Temp\nsu3C38.tmp\LangDLL.dll

Filesize
5KB

MD5
7af1e33d85459fbd2cf7ef29d7528e9e

SHA1
8a90d81eeabd6886e5b5985d3d10e3f435ccf00d

SHA256
958b118ec87610f25232eb6257168bdbbf210cf2511bf38fb54bf4ffc908abb2

SHA512
1aa61538a5fec5bb27dca4305f4b856446e032321f55f26c5e949bb125220a4c319c51c2050697cda6c39ba784eaf2f041ee742f57d3e2e8a6e9f6ec96007145

Download Submit
\Users\Admin\AppData\Local\Temp\nsu3C38.tmp\System.dll

Filesize
11KB

MD5
375e8a08471dc6f85f3828488b1147b3

SHA1
1941484ac710fc301a7d31d6f1345e32a21546af

SHA256
4c86b238e64ecfaabe322a70fd78db229a663ccc209920f3385596a6e3205f78

SHA512
5ba29db13723ddf27b265a4548606274b850d076ae1f050c64044f8ccd020585ad766c85c3e20003a22f356875f76fb3679c89547b0962580d8e5a42b082b9a8

Download Submit
memory/1872-11085-0x0000000001470000-0x0000000002011000-memory.dmp

Filesize
11.6MB

Download
memory/1872-11087-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1872-11093-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/3044-11080-0x0000000003850000-0x00000000043F1000-memory.dmp

Filesize
11.6MB

Download
memory/3044-11081-0x0000000003850000-0x00000000043F1000-memory.dmp

Filesize
11.6MB

Download
memory/3044-11082-0x0000000077BE1000-0x0000000077CE2000-memory.dmp

Filesize
1.0MB

Download
memory/3044-11083-0x0000000077BE0000-0x0000000077D89000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing