guloader | 9be35c4376464838d7927e3cd13758058c407a54f8cc0c5376cabb3eb7a9c64e

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23/02/2025, 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bunker (STS) Notification..exe
Size

619KB
MD5

c176fa88d211acc3d63d6c8d3cf8d5a6
SHA1

c87881a891fa05cd1c4caa8cc10451359db163f4
SHA256

6ba3a37ac78eef40080be3a47e0ebcc30619221480d5bdd60a97fd571bda2ba2
SHA512

4b80ec090a296025b45de505d36059258701bdc78330421a00679bac5da6e5105d4b9eb1b11bf5398fd154a62ee8d30d023b87d55acdacc2d28ea1382384a886
SSDEEP

12288:5UVC9GIaG5ez13NhJN6U+c7DK3YKFQC0ncfFF9AUiDeDx3E:KVzK5ez13N56UP7RKFQC0cdqDeDB

Score

10^/10

guloader discovery downloader

Malware Config

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 2 IoCs

pid	Process
2644	Bunker (STS) Notification..exe
2644	Bunker (STS) Notification..exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2644	Bunker (STS) Notification..exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2648	2556	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bunker (STS) Notification..exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bunker (STS) Notification..exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2644	Bunker (STS) Notification..exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2556	2644	Bunker (STS) Notification..exe	30
PID 2644 wrote to memory of 2556	2644	Bunker (STS) Notification..exe	30
PID 2644 wrote to memory of 2556	2644	Bunker (STS) Notification..exe	30
PID 2644 wrote to memory of 2556	2644	Bunker (STS) Notification..exe	30
PID 2644 wrote to memory of 2556	2644	Bunker (STS) Notification..exe	30
PID 2556 wrote to memory of 2648	2556	Bunker (STS) Notification..exe	31
PID 2556 wrote to memory of 2648	2556	Bunker (STS) Notification..exe	31
PID 2556 wrote to memory of 2648	2556	Bunker (STS) Notification..exe	31
PID 2556 wrote to memory of 2648	2556	Bunker (STS) Notification..exe	31

C:\Users\Admin\AppData\Local\Temp\Bunker (STS) Notification..exe
"C:\Users\Admin\AppData\Local\Temp\Bunker (STS) Notification..exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Users\Admin\AppData\Local\Temp\Bunker (STS) Notification..exe
  "C:\Users\Admin\AppData\Local\Temp\Bunker (STS) Notification..exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 104
    3⤵
    - Program crash
    PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nstFA76.tmp\System.dll

Filesize
11KB

MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
memory/2556-23-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2556-22-0x0000000001470000-0x000000000733A000-memory.dmp

Filesize
94.8MB

Download
memory/2556-25-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2644-20-0x0000000076D81000-0x0000000076E82000-memory.dmp

Filesize
1.0MB

Download
memory/2644-21-0x0000000076D80000-0x0000000076F29000-memory.dmp

Filesize
1.7MB

Download