guloader | c7a6d57fc3d397c2b303477d8e1d4fea64fec51f46b0ddfad97a11527771702c

Analysis

max time kernel
147s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
02-07-2024 05:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ziraat Bankasi Swift Mesaji.exe
Size

853KB
MD5

57dbc2be60ede5140738c720a629781c
SHA1

b348e314c3f9be312725b23a0fecf491404caf66
SHA256

c7a6d57fc3d397c2b303477d8e1d4fea64fec51f46b0ddfad97a11527771702c
SHA512

8932c191f72eb089d346848164c36104e6114e39cdeed19d1e67a7546ce68f01d8fdadec2c6f9ce5a80915e5781631fd37018f9e57c3a1d54d677f2e9c6ae006
SSDEEP

24576:N3mYVFbTdL3LgGStF2C/GVOoD5jQZj7/MJhmO:N3mYV9x3SH2C/EOEm7lO

Score

10^/10

guloader downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Loads dropped DLL 2 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.exe

pid process

4072 Ziraat Bankasi Swift Mesaji.exe
4072 Ziraat Bankasi Swift Mesaji.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.exeZiraat Bankasi Swift Mesaji.exe

pid process

4072 Ziraat Bankasi Swift Mesaji.exe
4492 Ziraat Bankasi Swift Mesaji.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.exe

description pid process target process

PID 4072 set thread context of 4492 4072 Ziraat Bankasi Swift Mesaji.exe Ziraat Bankasi Swift Mesaji.exe
Drops file in Program Files directory 1 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.exe

description ioc process

File opened for modification C:\Program Files (x86)\Common Files\hansson.ini Ziraat Bankasi Swift Mesaji.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.exe

pid process

4072 Ziraat Bankasi Swift Mesaji.exe

pid	process
4072	Ziraat Bankasi Swift Mesaji.exe
4072	Ziraat Bankasi Swift Mesaji.exe

pid	process
4072	Ziraat Bankasi Swift Mesaji.exe
4492	Ziraat Bankasi Swift Mesaji.exe

description	pid	process	target process
PID 4072 set thread context of 4492	4072	Ziraat Bankasi Swift Mesaji.exe	Ziraat Bankasi Swift Mesaji.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\hansson.ini	Ziraat Bankasi Swift Mesaji.exe

pid	process
4072	Ziraat Bankasi Swift Mesaji.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.exe

description	pid	process	target process
PID 4072 wrote to memory of 4492	4072	Ziraat Bankasi Swift Mesaji.exe	Ziraat Bankasi Swift Mesaji.exe
PID 4072 wrote to memory of 4492	4072	Ziraat Bankasi Swift Mesaji.exe	Ziraat Bankasi Swift Mesaji.exe
PID 4072 wrote to memory of 4492	4072	Ziraat Bankasi Swift Mesaji.exe	Ziraat Bankasi Swift Mesaji.exe
PID 4072 wrote to memory of 4492	4072	Ziraat Bankasi Swift Mesaji.exe	Ziraat Bankasi Swift Mesaji.exe
PID 4072 wrote to memory of 4492	4072	Ziraat Bankasi Swift Mesaji.exe	Ziraat Bankasi Swift Mesaji.exe

C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe
"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4072

C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe
"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4492

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\hansson.ini
Filesize
43B

MD5
7e12fc067ec6fde7156ec11eeaab67b6

SHA1
789e752d7f5437c3f0ec58ad19f01f8a70b3ff12

SHA256
de7ad71debdcbe152a2f5cbd5aef0774cdc5e81d8aa5f8d708f1621ccb6625ac

SHA512
29e5863d536984d7ac250563665eeecec9e3e3d490dc24d82fdaa6b956fa1f328fd49b8e2716d5eebee298d39585afd63dcadd2897793f69076cc362b1f63101

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc322D.tmp\System.dll
Filesize
12KB

MD5
6e55a6e7c3fdbd244042eb15cb1ec739

SHA1
070ea80e2192abc42f358d47b276990b5fa285a9

SHA256
acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506

SHA512
2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

Download Submit
memory/4072-229-0x00000000046F0000-0x0000000007567000-memory.dmp

Filesize
46.5MB

Download
memory/4072-230-0x00000000779E1000-0x0000000077B01000-memory.dmp

Filesize
1.1MB

Download
memory/4072-231-0x0000000074845000-0x0000000074846000-memory.dmp

Filesize
4KB

Download
memory/4072-234-0x00000000046F0000-0x0000000007567000-memory.dmp

Filesize
46.5MB

Download
memory/4072-241-0x00000000046F0000-0x0000000007567000-memory.dmp

Filesize
46.5MB

Download
memory/4492-232-0x0000000001AA0000-0x0000000004917000-memory.dmp

Filesize
46.5MB

Download
memory/4492-233-0x0000000000840000-0x0000000001A94000-memory.dmp

Filesize
18.3MB

Download
memory/4492-236-0x0000000001AA0000-0x0000000004917000-memory.dmp

Filesize
46.5MB

Download