guloader | 9fd53114801142518771a1acfa7836d42ce0d8fe0efd91a0880b02963ccd9782 | Triage

Submit
Reports

Overview

overview

Static

static

1

awb_shippi...B).vbs

windows7-x64

3

awb_shippi...B).vbs

windows10-2004-x64

Sharing

General

Target

01072024_1118_30062024_awb_shipping_post_01072024224782020031808174CN18010724000000124(991KB).7z
Size

12KB
Sample

240701-nerxsa1hqr
MD5

fa7d8b0088f10253f4fa1ffbfd782e9a
SHA1

0336fe36e63e955f8b8230a36eab0d21689fee39
SHA256

9fd53114801142518771a1acfa7836d42ce0d8fe0efd91a0880b02963ccd9782
SHA512

0bcf91a934f5b6d65f9c00488639f96e76aac6400e1787d1ce921478f9264bfb2d3dff82d0c38729335a6235540e25f782f3501eba36d0a730baea240b679145
SSDEEP

192:hPBidBloJTDo51PI7Na9mLyyFO2f1ALtO/8z4IdBzHpv77i+Rl:hQdBlUPU1PI7Nimxbfmtyebpviml

Score

10^/10

guloader collection downloader persistence

Static task

static1

Behavioral task

behavioral1

Sample

awb_shipping_post_01072024224782020031808174CN18010724000000124(991KB).vbs

Resource

win7-20240508-en

windows7-x64

4 signatures

150 seconds

Behavioral task

behavioral2

Sample

awb_shipping_post_01072024224782020031808174CN18010724000000124(991KB).vbs

Resource

win10v2004-20240508-en

guloader collection downloader persistence

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Targets

- Target
  
  awb_shipping_post_01072024224782020031808174CN18010724000000124(991KB).vbs
- Size
  
  22KB
- MD5
  
  a13172a0f0e7ac4d5f957050221d7e3f
- SHA1
  
  c81809f26230427879daf37de42163b1731018ad
- SHA256
  
  e8a3dc3bf71a6dbdc2ab8beb59a9b435626d67d1596a4dc4dbfbc7c8978e74f2
- SHA512
  
  52feaccccb0ff8973f8c7bff8f1ca450c57351978778590c67ec5bb91025aa99d8011819f315806d1f580b87883e0ab36717b2f61c913945b20685ca048f0ef2
- SSDEEP
  
  384:AlzV6m2So022lGP9V6+s0flKJpl/5ZrE5HVnS0Re7PIx+5lEPmgwwP4WUUWUfLsA:0zSR022X/523S0e8xPPm+K1hmrRWK
Score

10^/10

guloader collection downloader persistence
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

guloadercollectiondownloaderpersistence

© 2018-2024

Terms | Privacy