Overview

overview

10

Static

static

3

Udeladelsers21.exe

windows7-x64

7

Udeladelsers21.exe

windows10-2004-x64

10

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    91s
  • max time network
    91s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/02/2025, 06:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Udeladelsers21.exe

  • Size

    789KB

  • MD5

    0414f807264c86c53561dbac864a0a03

  • SHA1

    31090a8c34e7c6f08f80f7dc9d08890fbed06498

  • SHA256

    a97a7c59fd1240722e02c1fe6e0c604f00d144578f701c78c47efb5132759a0b

  • SHA512

    3f64007953ef2cac2e8151176b8f7a1b5954bdd15404a4f79f3cfd3da74f1ce1113ca2ccd237056d59aa08fcc171d23d3a4644fbd1effcb9b8227f3eb07e8290

  • SSDEEP

    12288:I2LyZBH9zpl/scMxT3iKJCcYpOPJbiHWQLq7uHkqx+9f9Rv5WimvSre:I2G/Lhflc3iHWgsuHxw3h4vV

Score
10/10
guloaderdiscoverydownloader

Malware Config

Signatures

  • Guloader family
    guloader
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Loads dropped DLL 6 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Udeladelsers21.exe
    "C:\Users\Admin\AppData\Local\Temp\Udeladelsers21.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3516
    • C:\Users\Admin\AppData\Local\Temp\Udeladelsers21.exe
      "C:\Users\Admin\AppData\Local\Temp\Udeladelsers21.exe"
      2⤵
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4180

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Common Files\recensioners.ini
    Filesize

    37B

    MD5

    587121cabc408133538b692db9adfc83

    SHA1

    3ecfd3a31b43216b70b16f00fd40790e05911f69

    SHA256

    585c10af27b175c5e18d58bc5bc93fb86413f57f6a914ac9efee9066d464f2eb

    SHA512

    f7efb0ca8a8f2d3f3c6d4e0c4db64aa2ec4bae52cb0b187f1ef28607dcc62bd1e66c0e48df37965ef3469e13bdfd2468557336d44690a7a6d580bf994b044283

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsb6EA5.tmp\LangDLL.dll
    Filesize

    5KB

    MD5

    ab1db56369412fe8476fefffd11e4cc0

    SHA1

    daad036a83b2ee2fa86d840a34a341100552e723

    SHA256

    6f14c8f01f50a30743dac68c5ac813451463dfb427eb4e35fcdfe2410e1a913b

    SHA512

    8d886643b4fc24adf78f76b663227d6e61863f89e0cbd49548f40dd040666ca94ea46bec9e336850e4f300995d56e6dc85b689c8e09ff46758822d280f06b03d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsb6EA5.tmp\System.dll
    Filesize

    12KB

    MD5

    0d7ad4f45dc6f5aa87f606d0331c6901

    SHA1

    48df0911f0484cbe2a8cdd5362140b63c41ee457

    SHA256

    3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

    SHA512

    c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

    Download Submit

  • memory/3516-337-0x0000000004A30000-0x0000000006BF7000-memory.dmp

    Filesize

    33.8MB

    Download

  • memory/3516-334-0x0000000074420000-0x0000000074427000-memory.dmp

    Filesize

    28KB

    Download

  • memory/3516-333-0x0000000074425000-0x0000000074426000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3516-332-0x00000000775C1000-0x00000000776E1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3516-331-0x0000000004A30000-0x0000000006BF7000-memory.dmp

    Filesize

    33.8MB

    Download

  • memory/3516-330-0x0000000004A30000-0x0000000006BF7000-memory.dmp

    Filesize

    33.8MB

    Download

  • memory/4180-338-0x0000000001660000-0x0000000003827000-memory.dmp

    Filesize

    33.8MB

    Download

  • memory/4180-336-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4180-351-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4180-352-0x0000000001660000-0x0000000003827000-memory.dmp

    Filesize

    33.8MB

    Download

  • memory/4180-353-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4180-354-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4180-355-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4180-358-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download