guloader | c0ba6cd3dec5b284f3defa9ef37453107e44f5b5a153728dd536fd6b7ff0b95e

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2025, 05:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0ba6cd3dec5b284f3defa9ef37453107e44f5b5a153728dd536fd6b7ff0b95e.exe
Size

926KB
MD5

5469e8035530eb2c2552b568c88c2b24
SHA1

17ef49811c0c065e6bcdec4a000464659efe6991
SHA256

c0ba6cd3dec5b284f3defa9ef37453107e44f5b5a153728dd536fd6b7ff0b95e
SHA512

2940d72fa0678674350211c2ab77bb2e5a778f055ab6ccf0298bb239017e4a25b5486ab6de3f7c0985b2bb46921cdda104205270da819aa787e6cf723a158fe6
SSDEEP

24576:tOZlAUxWG1+ne0/bIpTeubmMLA+5wOnOMyQa:HUPse0/0wuzZ5xOMyQa

Score

10^/10

guloader discovery downloader

Malware Config

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 2 IoCs

pid	Process
5056	c0ba6cd3dec5b284f3defa9ef37453107e44f5b5a153728dd536fd6b7ff0b95e.exe
5056	c0ba6cd3dec5b284f3defa9ef37453107e44f5b5a153728dd536fd6b7ff0b95e.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
5056	c0ba6cd3dec5b284f3defa9ef37453107e44f5b5a153728dd536fd6b7ff0b95e.exe
400	c0ba6cd3dec5b284f3defa9ef37453107e44f5b5a153728dd536fd6b7ff0b95e.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\unfrigidness\prsentation.une	c0ba6cd3dec5b284f3defa9ef37453107e44f5b5a153728dd536fd6b7ff0b95e.exe
File opened for modification	C:\Windows\resources\Bluejelly78\infinituple.tet	c0ba6cd3dec5b284f3defa9ef37453107e44f5b5a153728dd536fd6b7ff0b95e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c0ba6cd3dec5b284f3defa9ef37453107e44f5b5a153728dd536fd6b7ff0b95e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c0ba6cd3dec5b284f3defa9ef37453107e44f5b5a153728dd536fd6b7ff0b95e.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
5056	c0ba6cd3dec5b284f3defa9ef37453107e44f5b5a153728dd536fd6b7ff0b95e.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5056 wrote to memory of 400	5056	c0ba6cd3dec5b284f3defa9ef37453107e44f5b5a153728dd536fd6b7ff0b95e.exe	93
PID 5056 wrote to memory of 400	5056	c0ba6cd3dec5b284f3defa9ef37453107e44f5b5a153728dd536fd6b7ff0b95e.exe	93
PID 5056 wrote to memory of 400	5056	c0ba6cd3dec5b284f3defa9ef37453107e44f5b5a153728dd536fd6b7ff0b95e.exe	93
PID 5056 wrote to memory of 400	5056	c0ba6cd3dec5b284f3defa9ef37453107e44f5b5a153728dd536fd6b7ff0b95e.exe	93

C:\Users\Admin\AppData\Local\Temp\c0ba6cd3dec5b284f3defa9ef37453107e44f5b5a153728dd536fd6b7ff0b95e.exe
"C:\Users\Admin\AppData\Local\Temp\c0ba6cd3dec5b284f3defa9ef37453107e44f5b5a153728dd536fd6b7ff0b95e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Users\Admin\AppData\Local\Temp\c0ba6cd3dec5b284f3defa9ef37453107e44f5b5a153728dd536fd6b7ff0b95e.exe
  "C:\Users\Admin\AppData\Local\Temp\c0ba6cd3dec5b284f3defa9ef37453107e44f5b5a153728dd536fd6b7ff0b95e.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nso8EF3.tmp\System.dll

Filesize
11KB

MD5
b0c77267f13b2f87c084fd86ef51ccfc

SHA1
f7543f9e9b4f04386dfbf33c38cbed1bf205afb3

SHA256
a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77

SHA512
f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e

Download Submit
memory/400-44-0x0000000076FE8000-0x0000000076FE9000-memory.dmp

Filesize
4KB

Download
memory/400-45-0x0000000077005000-0x0000000077006000-memory.dmp

Filesize
4KB

Download
memory/400-46-0x00000000016E0000-0x00000000025A7000-memory.dmp

Filesize
14.8MB

Download
memory/400-48-0x0000000076F61000-0x0000000077081000-memory.dmp

Filesize
1.1MB

Download
memory/400-47-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/5056-39-0x0000000004A10000-0x00000000058D7000-memory.dmp

Filesize
14.8MB

Download
memory/5056-40-0x0000000076F61000-0x0000000077081000-memory.dmp

Filesize
1.1MB

Download
memory/5056-41-0x0000000073BB4000-0x0000000073BB5000-memory.dmp

Filesize
4KB

Download
memory/5056-43-0x0000000004A10000-0x00000000058D7000-memory.dmp

Filesize
14.8MB

Download