guloader | 77e15415d2427d168202684e80034c83d83230deee10efe86cf07049af98d77c

General

Target

PAGO.cmd
Size

959KB
MD5

b7819321f80217a516dc2649097a6cc4
SHA1

c35be052ffa3ad243512cafee4034656399f52cd
SHA256

77e15415d2427d168202684e80034c83d83230deee10efe86cf07049af98d77c
SHA512

8fd59280dd6658b6b105936eda91555e6c1f7c0f6b7aebfe3df7c74a6b94db2498acc36d896e31d9de63c8d0073fb25127c249d1c9ca15ba09127f83cb6a6525
SSDEEP

12288:UPCl0t4TkEIroYUI2K/AtBb2d/fNguvEc4sI20geXazMbkJ/i3O2CHaAUwvUbcYG:UKRfcOe4hDgeqzRJ/LLU6WcbTtUi

Score

10^/10

guloader discovery downloader execution

Malware Config

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Downloads MZ/PE file 1 IoCs

flow	pid	Process
55	2936	Process not Found

Executes dropped EXE 1 IoCs

pid	Process
4956	maxthon.pif

Loads dropped DLL 11 IoCs

pid	Process
4956	maxthon.pif
4956	maxthon.pif
4956	maxthon.pif
4956	maxthon.pif
4956	maxthon.pif
4956	maxthon.pif
4956	maxthon.pif
4956	maxthon.pif
4956	maxthon.pif
4956	maxthon.pif
4312	maxthon.pif

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
23	drive.google.com
24	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4312	maxthon.pif

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4956	maxthon.pif
4312	maxthon.pif

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\oxyrhynchus\statiscope.ini	maxthon.pif

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	maxthon.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	maxthon.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2580	MicrosoftEdgeUpdate.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x000500000001e543-11041.dat	nsis_installer_1
behavioral2/files/0x000500000001e543-11041.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4312	maxthon.pif
4312	maxthon.pif
4312	maxthon.pif
4312	maxthon.pif
4312	maxthon.pif
4312	maxthon.pif
4312	maxthon.pif
4312	maxthon.pif
4312	maxthon.pif
4312	maxthon.pif
4312	maxthon.pif
4312	maxthon.pif
4312	maxthon.pif
4312	maxthon.pif

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4956	maxthon.pif

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 2844	4588	cmd.exe	94
PID 4588 wrote to memory of 2844	4588	cmd.exe	94
PID 4588 wrote to memory of 4956	4588	cmd.exe	95
PID 4588 wrote to memory of 4956	4588	cmd.exe	95
PID 4588 wrote to memory of 4956	4588	cmd.exe	95
PID 4956 wrote to memory of 4312	4956	maxthon.pif	96
PID 4956 wrote to memory of 4312	4956	maxthon.pif	96
PID 4956 wrote to memory of 4312	4956	maxthon.pif	96
PID 4956 wrote to memory of 4312	4956	maxthon.pif	96

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PAGO.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Windows\system32\cscript.exe
  cscript p.js
  2⤵
  PID:2844
- C:\Users\Admin\AppData\Local\Temp\maxthon.pif
  maxthon.pif
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Users\Admin\AppData\Local\Temp\maxthon.pif
    maxthon.pif
    3⤵
    - Loads dropped DLL
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4312

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NjIxQTk2QUMtN0M1Qy00RURDLTgzMEItRkZEQkM1MjhDODQ0fSIgdXNlcmlkPSJ7N0RERkE5NEYtOTdGQS00QjRCLUI2QTAtOTA4NkJCMzc3MjU2fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NEYzMDM0MDctMjk3MS00NDRDLUFFREYtOEIzMkQ2QzA1NjE2fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMyMzYiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDI1MTE0ODAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NTgwOTcwNTc1Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

JavaScript

1

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\maxthon.pif

Filesize
622KB

MD5
ff0fdae83407b8ff69f9c665bab0d7d4

SHA1
a6f10986b185a604dd458b9f535a01e3d325bcc2

SHA256
0e3390f3f7bd283296ca3ee73ba5d9cb76d5132ed7d7c17e97789478a8a2f27b

SHA512
72037c874b127b7eeb54594381041fb540185900ab5b937088741ee24750d4fcce7f8df31f753462a302b278ce0799f8c9d22bd315422cb633debc849f800615

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf9D47.tmp\LangDLL.dll

Filesize
5KB

MD5
7af1e33d85459fbd2cf7ef29d7528e9e

SHA1
8a90d81eeabd6886e5b5985d3d10e3f435ccf00d

SHA256
958b118ec87610f25232eb6257168bdbbf210cf2511bf38fb54bf4ffc908abb2

SHA512
1aa61538a5fec5bb27dca4305f4b856446e032321f55f26c5e949bb125220a4c319c51c2050697cda6c39ba784eaf2f041ee742f57d3e2e8a6e9f6ec96007145

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf9D47.tmp\System.dll

Filesize
11KB

MD5
375e8a08471dc6f85f3828488b1147b3

SHA1
1941484ac710fc301a7d31d6f1345e32a21546af

SHA256
4c86b238e64ecfaabe322a70fd78db229a663ccc209920f3385596a6e3205f78

SHA512
5ba29db13723ddf27b265a4548606274b850d076ae1f050c64044f8ccd020585ad766c85c3e20003a22f356875f76fb3679c89547b0962580d8e5a42b082b9a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\p.js

Filesize
454B

MD5
512de64f32a0387d27f0d77251ea264c

SHA1
1f394a3cff8a9c0d7b5126859ec10356b9885cc4

SHA256
fc89b98b929495596a34a2dff20fe6100c79b730d7e5734d0bf7f0c001a5ad7d

SHA512
8b9f78ad373c1e11f441ef6fa9ea1d57776e11a1c0e39bc6de92aeba95a6d0c5228942869abd3e7ff82ca66b59545a9e8c0c5f6281b79baf3dbc7cfd933cabe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\x

Filesize
861KB

MD5
3738d9b4b11a30ab9395879e4ab25587

SHA1
4e51f637c25aec858fe6c80f126685c31f3c9590

SHA256
5898b70fa5caa97424d8ffe51a95b648123bfe8f4a1d844b76d5b398fc59aad8

SHA512
1c0a7361c2c459e3165643df226b1289678b1182097a3cff2cc2d16eddd0866f4e2a639e153b62c1703017e007139db1f8139cc9b36f14d54b0d8e2df28e566c

Download Submit
C:\Users\Admin\AppData\Local\Temp\x

Filesize
4KB

MD5
78eb10eb6f4cb32466fd6058763c8649

SHA1
89558100fac2d33409f8152d4c7b163a1f03489f

SHA256
a8fa027ddaa121753bbdb61f1f94b768b39c413d387902df4ba368279e60ca1e

SHA512
cf77ebf898b350d9a5fc69e4a5b7766f62a35cd9dd8818c98bf99d0f1bd485ac6e03bb44ebe4acae9c06db1b454127325aaeeaefb4ce4f97a3b426719b8f738a

Download Submit
memory/4312-11101-0x0000000001660000-0x0000000002201000-memory.dmp

Filesize
11.6MB

Download
memory/4312-11089-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4312-11090-0x0000000001660000-0x0000000002201000-memory.dmp

Filesize
11.6MB

Download
memory/4312-11100-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4312-11107-0x0000000001660000-0x0000000002201000-memory.dmp

Filesize
11.6MB

Download
memory/4312-11106-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4312-11108-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4312-11109-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4312-11112-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4956-11084-0x0000000076ED1000-0x0000000076FF1000-memory.dmp

Filesize
1.1MB

Download
memory/4956-11085-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download
memory/4956-11088-0x0000000004A00000-0x00000000055A1000-memory.dmp

Filesize
11.6MB

Download
memory/4956-11083-0x0000000004A00000-0x00000000055A1000-memory.dmp

Filesize
11.6MB

Download

Analysis

Sharing