guloader | c7728da75004903710287196fe7b46281fcc671420ebbac44388605e1d9892be | Triage

Submit
Reports

Overview

overview

Static

static

1

FACTURA08798696.vbe

windows7-x64

FACTURA08798696.vbe

windows10-2004-x64

Sharing

General

Target

FACTURA08798.Tar
Size

418KB
Sample

240624-qw6tdaybjm
MD5

280fb6d9bef71be8b72039a80251e6e1
SHA1

1d6a990f2781d26a37dd8efe8f8188cf2d8f58e6
SHA256

c7728da75004903710287196fe7b46281fcc671420ebbac44388605e1d9892be
SHA512

cc0ca16eec59e0f28ba5f233477b661324665cb920bea8de031268fda18da0f07670484c678bd39fe1faca0ea533719bdc4f791badfaa07b93379b59b7d285bd
SSDEEP

12288:IAir7L7jf9eIYWBOGgijWDocOCId74s8D:M7Re0BOviCDotCId7x8D

Score

10^/10

guloader collection downloader persistence spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

FACTURA08798696.vbe

Resource

win7-20240220-en

guloader collection downloader persistence spyware stealer

windows7-x64

20 signatures

150 seconds

Behavioral task

behavioral2

Sample

FACTURA08798696.vbe

Resource

win10v2004-20240508-en

guloader collection downloader persistence spyware stealer

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Targets

- Target
  
  FACTURA08798696.vbe
- Size
  
  646KB
- MD5
  
  877d62bb0a3ca04372a89f1fd63aa517
- SHA1
  
  abb9619743f94df8ee35bcb29e08a33f49acc91a
- SHA256
  
  411d7a0d9d268daa710bbd8af48825e3227be7ed743c50c68afc05b71a940e83
- SHA512
  
  072e1b5ebf6aa76ee374d94b5d9f066c3f2c922808a646768234bf8cae9c62b55a82fa4e18ab860f7ffb5b31a625619991feaa3a82bc8fc7a3712b38cbbcf7ae
- SSDEEP
  
  12288:NuXAeUMRwhbVmNmN7wNL4NBN3rNrx9V0NnNcN/v3gRN6fyNMNIN3NLojSAfp+J1/:T4Rwhb79SyV7R1AIJTaud62Q
Score

10^/10

guloader collection downloader persistence spyware stealer
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

guloadercollectiondownloaderpersistencespywarestealer

behavioral2

guloadercollectiondownloaderpersistencespywarestealer

© 2018-2024

Terms | Privacy