guloader | 411d7a0d9d268daa710bbd8af48825e3227be7ed743c50c68afc05b71a940e83

General

Target

411d7a0d9d268daa710bbd8af48825e3227be7ed743c50c68afc05b71a940e83.vbe
Size

646KB
Sample

240625-bqys9asfqb
MD5

877d62bb0a3ca04372a89f1fd63aa517
SHA1

abb9619743f94df8ee35bcb29e08a33f49acc91a
SHA256

411d7a0d9d268daa710bbd8af48825e3227be7ed743c50c68afc05b71a940e83
SHA512

072e1b5ebf6aa76ee374d94b5d9f066c3f2c922808a646768234bf8cae9c62b55a82fa4e18ab860f7ffb5b31a625619991feaa3a82bc8fc7a3712b38cbbcf7ae
SSDEEP

12288:NuXAeUMRwhbVmNmN7wNL4NBN3rNrx9V0NnNcN/v3gRN6fyNMNIN3NLojSAfp+J1/:T4Rwhb79SyV7R1AIJTaud62Q

Score

10^/10

Malware Config

Targets

- Target
  
  411d7a0d9d268daa710bbd8af48825e3227be7ed743c50c68afc05b71a940e83.vbe
- Size
  
  646KB
- MD5
  
  877d62bb0a3ca04372a89f1fd63aa517
- SHA1
  
  abb9619743f94df8ee35bcb29e08a33f49acc91a
- SHA256
  
  411d7a0d9d268daa710bbd8af48825e3227be7ed743c50c68afc05b71a940e83
- SHA512
  
  072e1b5ebf6aa76ee374d94b5d9f066c3f2c922808a646768234bf8cae9c62b55a82fa4e18ab860f7ffb5b31a625619991feaa3a82bc8fc7a3712b38cbbcf7ae
- SSDEEP
  
  12288:NuXAeUMRwhbVmNmN7wNL4NBN3rNrx9V0NnNcN/v3gRN6fyNMNIN3NLojSAfp+J1/:T4Rwhb79SyV7R1AIJTaud62Q
Score

10^/10

guloader downloader persistence collection spyware stealer
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Detects executables built or packed with MPress PE compressor
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Tasks

Sharing

General

Malware Config

Targets

Guloader,Cloudeye

Detects executables built or packed with MPress PE compressor

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Detects executables referencing many email and collaboration clients. Observed in information stealers

NirSoft MailPassView

NirSoft WebBrowserPassView

Nirsoft

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Accesses Microsoft Outlook accounts

Adds Run key to start application

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2