guloader | 590968973ea1694416916c544ac177143d6ea1e4a16a45869b535cdb2472ac4f

General

Target

pago3423443.exe
Size

1.0MB
MD5

c626b5ff25d95915163a9fc8a65237ff
SHA1

44a686fa47df95c5c1f2b8867db65ee2baa8488d
SHA256

b3da5f2f5c92cffef6701e6f99e8bc5ef7bfb7bb45f1530813f37c3d97f1d3b0
SHA512

380c042631d46d6b8582679f9e8eefd96724e821a43484f3f64bcec333d0509bbb7fbcabd30bbb800ed2370e4d9a2c7e9f518979494204e4271a7825700b4b87
SSDEEP

24576:YSafguydKSg+onJ3RbnHPVNfroUmLDbZ7Jjl7WqDs3Ry:YlfguygSg+Q/bnHPHbSFhWquR

Score

10^/10

guloader discovery downloader

Malware Config

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 6 IoCs

pid	Process
528	pago3423443.exe
528	pago3423443.exe
528	pago3423443.exe
528	pago3423443.exe
528	pago3423443.exe
528	pago3423443.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
20	drive.google.com
21	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4692	pago3423443.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
528	pago3423443.exe
4692	pago3423443.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\remonteringer\Udsendelseslederes123.lnk	pago3423443.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Substract\metrerne.Bin237	pago3423443.exe
File opened for modification	C:\Windows\Fonts\troglodytes\thespian.ini	pago3423443.exe
File opened for modification	C:\Windows\resources\0409\Vanrgten\antiperistatic.ini	pago3423443.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pago3423443.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pago3423443.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4692	pago3423443.exe
4692	pago3423443.exe
4692	pago3423443.exe
4692	pago3423443.exe
4692	pago3423443.exe
4692	pago3423443.exe
4692	pago3423443.exe
4692	pago3423443.exe
4692	pago3423443.exe
4692	pago3423443.exe
4692	pago3423443.exe
4692	pago3423443.exe
4692	pago3423443.exe
4692	pago3423443.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
528	pago3423443.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 528 wrote to memory of 4692	528	pago3423443.exe	88
PID 528 wrote to memory of 4692	528	pago3423443.exe	88
PID 528 wrote to memory of 4692	528	pago3423443.exe	88
PID 528 wrote to memory of 4692	528	pago3423443.exe	88

C:\Users\Admin\AppData\Local\Temp\pago3423443.exe
"C:\Users\Admin\AppData\Local\Temp\pago3423443.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:528
- C:\Users\Admin\AppData\Local\Temp\pago3423443.exe
  "C:\Users\Admin\AppData\Local\Temp\pago3423443.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsbD5FE.tmp\LangDLL.dll

Filesize
5KB

MD5
2a0f58baa9f48961707195d3d9ab8d0a

SHA1
abb640f58bd2a3fc50cd130bd960015df7a2a345

SHA256
a9520ce3bcfa4cfb7d9be3d317bdb3068246b38292e6d291a55f1b04a158998e

SHA512
273356a565978ff58d223e4d84de85d257838b1c37ae33054de76401ac935fd26f54213424ad8164bae2c4f9d9f2d61cbdd24bbaad453da938e0dca26b98130a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbD5FE.tmp\System.dll

Filesize
12KB

MD5
12b140583e3273ee1f65016becea58c4

SHA1
92df24d11797fefd2e1f8d29be9dfd67c56c1ada

SHA256
014f1dfeb842cf7265a3644bc6903c592abe9049bfc7396829172d3d72c4d042

SHA512
49ffdfa1941361430b6acb3555fd3aa05e4120f28cbdf7ceaa2af5937d0b8cccd84471cf63f06f97cf203b4aa20f226bdad082e9421b8e6b62ab6e1e9fc1e68a

Download Submit
memory/528-48-0x0000000004A40000-0x0000000006430000-memory.dmp

Filesize
25.9MB

Download
memory/528-49-0x0000000004A40000-0x0000000006430000-memory.dmp

Filesize
25.9MB

Download
memory/528-50-0x00000000775F1000-0x0000000077711000-memory.dmp

Filesize
1.1MB

Download
memory/528-51-0x00000000775F1000-0x0000000077711000-memory.dmp

Filesize
1.1MB

Download
memory/528-52-0x0000000074245000-0x0000000074246000-memory.dmp

Filesize
4KB

Download
memory/528-54-0x0000000004A40000-0x0000000006430000-memory.dmp

Filesize
25.9MB

Download
memory/4692-55-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4692-56-0x0000000001660000-0x0000000003050000-memory.dmp

Filesize
25.9MB

Download
memory/4692-57-0x0000000077678000-0x0000000077679000-memory.dmp

Filesize
4KB

Download
memory/4692-58-0x0000000001660000-0x0000000003050000-memory.dmp

Filesize
25.9MB

Download
memory/4692-59-0x0000000077695000-0x0000000077696000-memory.dmp

Filesize
4KB

Download
memory/4692-72-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4692-74-0x0000000001660000-0x0000000003050000-memory.dmp

Filesize
25.9MB

Download
memory/4692-73-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4692-75-0x00000000775F1000-0x0000000077711000-memory.dmp

Filesize
1.1MB

Download
memory/4692-76-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4692-79-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download

Analysis

Sharing