guloader | 3414295aa3bf71b66f8a86a5cc390fdb4669d2a2127f6b56cd91b535253b7008 | Triage

Submit
Reports

Overview

overview

Static

static

1

IMG5675893...et.vbs

windows7-x64

IMG5675893...et.vbs

windows10-2004-x64

Sharing

General

Target

25062024_0816_23062024_IMG56758938583095883593858835Blindehjemmet.7z
Size

12KB
Sample

240625-j6ghxa1gqn
MD5

36b26f6190ef25ccb47ca1b2401334b6
SHA1

9cf090600faddc071f4af7cab49c23e3ac137449
SHA256

3414295aa3bf71b66f8a86a5cc390fdb4669d2a2127f6b56cd91b535253b7008
SHA512

2465bba288713b8cf1f0ffcb991988a70fc71ef26a4e4fc5a2ea4e5c1dbe615fe98e5b69a38c25eb8dd1b621315f0a1f92e29bea66442ec00e53e54554f16189
SSDEEP

384:hTw4hhQFAVrF/HtPI9bQ2tvEL8Dzp1PdDy:hTMINw9p1E4Dzp1PZy

Score

10^/10

guloader downloader persistence

Static task

static1

Behavioral task

behavioral1

Sample

IMG56758938583095883593858835Blindehjemmet.vbs

Resource

win7-20240611-en

guloader downloader persistence

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

IMG56758938583095883593858835Blindehjemmet.vbs

Resource

win10v2004-20240226-en

guloader downloader persistence

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Targets

- Target
  
  IMG56758938583095883593858835Blindehjemmet.vbs
- Size
  
  23KB
- MD5
  
  18a025babdc4df5cb74d565b1b93e1d6
- SHA1
  
  f9bd62d75f8fd2e8327eea6b324b1c5dd3d880f3
- SHA256
  
  7050385c9ecb2aa84c11b687149985e1aa7a6868d4f63f6b214271d238be956c
- SHA512
  
  ff5126bcedf8d7d2927160161ae2c4ecae9fe1f561d97135e92c35c96b111753045b9a6e74529f086083778fcd017ed958a5b8066cb4dd7243c0473ae566978b
- SSDEEP
  
  384:zDJcEgWPwf0ulPLLgoylkWz1vAaFYruA/du48nAv5PbK7L59LL/OF15JGty:zFcEgWIfttLKWs1v9erzdu48Av5PbIfU
Score

10^/10

guloader downloader persistence
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

guloaderdownloaderpersistence

behavioral2

guloaderdownloaderpersistence

© 2018-2024

Terms | Privacy