guloader | b30bb2c67741afe2a5173337bd2acab5785c408cce2fbb84dc07a3c904f3f3c6 | Triage

Submit
Reports

Overview

overview

Static

static

1

awb_shippi...B).vbs

windows7-x64

awb_shippi...B).vbs

windows10-2004-x64

Sharing

General

Target

awb_shipping_post_24062024224782020031808174CN1824062400000(991KB).vbs
Size

187KB
Sample

240625-nc45bszarp
MD5

71e6ad71e4958df129a87422066d1be1
SHA1

75e5f0176d44782d874e74411d72ec5dbe86660c
SHA256

b30bb2c67741afe2a5173337bd2acab5785c408cce2fbb84dc07a3c904f3f3c6
SHA512

c6217bdc6b15046be438f7367c28b4a1dded02181a0e0579ceba297b0e4cdf4b7256b0ed1e8cada6cb3555bd344d739b166b269b68a05f2e6c391d997b1d7832
SSDEEP

3072:fmN8GGebKjeK3ubth+DCFxKCvBB/WnHPP1w/sLJFJ281QIHz1y8mNy7Ey1MgKTZV:f08GxbKja3+DCbKCvBB/WnHXC/sLJFJ4

Score

10^/10

guloader collection downloader persistence

Static task

static1

Behavioral task

behavioral1

Sample

awb_shipping_post_24062024224782020031808174CN1824062400000(991KB).vbs

Resource

win7-20240220-en

guloader downloader persistence

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

awb_shipping_post_24062024224782020031808174CN1824062400000(991KB).vbs

Resource

win10v2004-20240611-en

guloader collection downloader persistence

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Targets

- Target
  
  awb_shipping_post_24062024224782020031808174CN1824062400000(991KB).vbs
- Size
  
  187KB
- MD5
  
  71e6ad71e4958df129a87422066d1be1
- SHA1
  
  75e5f0176d44782d874e74411d72ec5dbe86660c
- SHA256
  
  b30bb2c67741afe2a5173337bd2acab5785c408cce2fbb84dc07a3c904f3f3c6
- SHA512
  
  c6217bdc6b15046be438f7367c28b4a1dded02181a0e0579ceba297b0e4cdf4b7256b0ed1e8cada6cb3555bd344d739b166b269b68a05f2e6c391d997b1d7832
- SSDEEP
  
  3072:fmN8GGebKjeK3ubth+DCFxKCvBB/WnHPP1w/sLJFJ281QIHz1y8mNy7Ey1MgKTZV:f08GxbKja3+DCbKCvBB/WnHXC/sLJFJ4
Score

10^/10

guloader downloader persistence collection
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

guloaderdownloaderpersistence

behavioral2

guloadercollectiondownloaderpersistence

© 2018-2024

Terms | Privacy