Meet UULoader: An Emerging and Evasive Malicious Installer

Aug. 20, 2024, 3:25 p.m.

Description

An analysis uncovered a malicious installer dubbed 'UULoader', which employs creative techniques to evade detection, including file header stripping, side-loading legitimate executables, and obfuscation. This multi-staged approach to payload delivery proves effective at evading static detection, as evidenced by its low VirusTotal detection rates. UULoader's final payloads appear to be remote access tools and hacking tools, likely originating from a Chinese threat actor based on linguistic analysis.

External References

https://cyberint.com/blog/research/meet-uuloader-an-emerging-and-evasive-malicious-installer/
https://otx.alienvault.com/pulse/66c4b1b9e86b3fde4b938be6
Tags
gh0strat
mimikatz
2024-08-20
uuloader

Date

  • Created: Aug. 20, 2024, 3:09 p.m.
  • Published: Aug. 20, 2024, 3:09 p.m.
  • Modified: Aug. 20, 2024, 3:25 p.m.

Indicators

  • fd0c66d3899702138f893f919f21b6d155a53a93a2181eaf4b602030c7adf5c7
  • ea193e1c13a142ed7d9f499a814d9480441f18c75e0617de8fdcc8443f7d1eae
  • e8d2a953c4423dc1836165d3cb734418f5276aa5ed46297d03bf01dbc78c8e70
  • dc8925a926456878860c37ed01a996de4f858f33ac18cfcf9b29a997d7e38e5c
  • ca543ff1fe2963a8daf5042b29c86e3d4abc0eb1365feb3ca53d006abc48f0cc
  • c675f276611ef53f8b74b8eb7b33590de19b07fc4b3b6d846ebca6f63a056ff7
  • bb64e8f94742afec20156e75915070f6c23ca13021a80c4637f92c2760009d72
  • b3e0aaf9a5c37408fca964220c9d294e4842a2901feaa373f056c191b8c6896d
  • b172b565dc16b29af83689cf6a26f62372e33f2640109a4ddb15d89f6bff3e6d
  • 972f9dc83a69fa5297e4d0e05113b6fab86bcefb0b3af913f7349bfe0e79fc87
  • 81c25e14af8c4ca37b6fb7ed0d8122a6a5d3054943af89e839bffff907fe128f
  • 742e6e4db5056b45254125f809ec158fdb5303c6c378fc1a23c599965a4aaa67
  • 5d3c87c115092f7c3da9a9144c1b594b0229830b258cbc27fe20841f38b78ca9
  • 5c698edeba5260b1eb170c375015273324b86bae82722d85d2f013b22ae52d0c
  • 5b5e8f9d1e317fd0963be2b5b46ca7a4710c5fec145a5a8bcb7eec1ff519a842
  • 596ffd75ab3512cba1e7328d902460b55401c094ddb67fe9f98263c06d10b517
  • 4a4efcf4c80c5ec4f6479549097e04c272d640664b4f8d0768f159f9f295f24a
  • 45e1ad56a97a92633f41d873fd8cb6b6da8e0e8e4ef094ba433d1c90ea195874
  • 3761a7ac0427692e4194d0a988b0d7985d7a909de69c3fc0ce028eb76a1297f9
  • 359fabc75c195ebec1fea4237aa011092f4080d82236652f2be1252275ed7b4f
  • 165a1ef58ee6f29291685d98863f82d1875d78b16d0a1207b34a7719b2b4d43a
  • 0df0ff0ce0162b4498ad6a25b6e536cffb119316262cf89e4ccf77535ebc13a5
  • 092ca5a50a0bf1d8f7b4e38fd80474f31f1d4eb8036ac13e101421b5df1687db
Download all indicators here!

Attack Patterns

  • UULoader
  • Gh0stRat
  • Mimikatz
  • T1574.002
  • T1204.002
  • T1140
  • T1027