guloader | 78e63f6cc614c9dcc77c0c6b8fc6088ce89533d7c05b66b7732904ad6bc886d6 | Triage

Submit
Reports

Overview

overview

Static

static

1

TOP URGENT...NS.vbs

windows7-x64

8

TOP URGENT...NS.vbs

windows10-2004-x64

Sharing

General

Target

TOP URGENT PURCHASE ORDER SHEET & SPECIFICATIONS.vbs
Size

22KB
Sample

240701-qdrxhawhnp
MD5

003c272edd6f7cf2b08bfc98d1d48c7c
SHA1

a6ee590e3b81dbbce6e550c6dba9256c76cd4e21
SHA256

78e63f6cc614c9dcc77c0c6b8fc6088ce89533d7c05b66b7732904ad6bc886d6
SHA512

4a251916c7e5bef128493ca4f9c303288d9f5934f763f5c383ebf99a671686359cacd977913260ed1c6a3c2e4df36a57873bf4620f7395a70d7eb1b82deb3213
SSDEEP

384:clzV6m2So022lGP9V6+s0flKJpl/5ZrE5HVnS0Re7PIx+5lEPmgww5Bpg3KU7a4i:ozSR022X/523S0e8xPPmKpgY4Rr0j

Score

10^/10

guloader collection downloader persistence

Static task

static1

Behavioral task

behavioral1

Sample

TOP URGENT PURCHASE ORDER SHEET & SPECIFICATIONS.vbs

Resource

win7-20231129-en

windows7-x64

5 signatures

150 seconds

Behavioral task

behavioral2

Sample

TOP URGENT PURCHASE ORDER SHEET & SPECIFICATIONS.vbs

Resource

win10v2004-20240508-en

guloader collection downloader persistence

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Targets

- Target
  
  TOP URGENT PURCHASE ORDER SHEET & SPECIFICATIONS.vbs
- Size
  
  22KB
- MD5
  
  003c272edd6f7cf2b08bfc98d1d48c7c
- SHA1
  
  a6ee590e3b81dbbce6e550c6dba9256c76cd4e21
- SHA256
  
  78e63f6cc614c9dcc77c0c6b8fc6088ce89533d7c05b66b7732904ad6bc886d6
- SHA512
  
  4a251916c7e5bef128493ca4f9c303288d9f5934f763f5c383ebf99a671686359cacd977913260ed1c6a3c2e4df36a57873bf4620f7395a70d7eb1b82deb3213
- SSDEEP
  
  384:clzV6m2So022lGP9V6+s0flKJpl/5ZrE5HVnS0Re7PIx+5lEPmgww5Bpg3KU7a4i:ozSR022X/523S0e8xPPmKpgY4Rr0j
Score

10^/10

guloader collection downloader persistence
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

guloadercollectiondownloaderpersistence

© 2018-2024

Terms | Privacy