Overview

overview

10

Static

static

gunzipped.exe

windows7_x64

10

gunzipped.exe

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    21-04-2021 14:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    gunzipped.exe

  • Size

    212KB

  • MD5

    e8caac54776eac6e3740c9c8426486df

  • SHA1

    d6720055a125da5922be71b69b3a4078a49642ea

  • SHA256

    d75c69a49a30595964989b72499ec0e303ff42a0e2a334dda22a9cd9fd7e8ba5

  • SHA512

    0e16cb730971d507c9767b953c2d320b9b5a8099b736bcb42e92435d13cf77083ad2a98bf23a42af53c36907c29949f30f4e1e548662a76adb877487549f5bea

Score
10/10
guloaderdownloaderguloader

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Guloader Payload 3 IoCs
    guloader
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
    "C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"
    1⤵
    • Checks QEMU agent file
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2116
    • C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
      "C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"
      2⤵
      • Checks QEMU agent file
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:1504

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1504-117-0x0000000000401FBC-mapping.dmp
    Download
  • memory/1504-118-0x0000000000400000-0x0000000000553000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/1504-119-0x0000000000401000-0x00000000004FD000-memory.dmp
    Filesize

    1008KB

    Download
  • memory/1504-120-0x0000000000560000-0x0000000000660000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/1504-122-0x0000000000400000-0x0000000000438000-memory.dmp
    Filesize

    224KB

    Download
  • memory/1504-121-0x0000000000401000-0x0000000000541000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/2116-116-0x00000000021D0000-0x00000000021DD000-memory.dmp
    Filesize

    52KB

    Download