Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
22-04-2021 09:03
Static task
static1
Behavioral task
behavioral1
Sample
cb03fe75572bc1d3406e9b3cda1e782e.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
cb03fe75572bc1d3406e9b3cda1e782e.exe
Resource
win10v20210410
General
-
Target
cb03fe75572bc1d3406e9b3cda1e782e.exe
-
Size
160KB
-
MD5
cb03fe75572bc1d3406e9b3cda1e782e
-
SHA1
d66bb237393370460edb2f32b3a696823f9bc9f4
-
SHA256
19bf54b5145b7080462d1f459dd88a6c7b8f6eb815be116651ad9016939777f0
-
SHA512
d4509419b97b105554ebfa27826afbf407ba6a41e89275f1fd6f28c120076a9e99965cac78fd41b63e6918d92176a9c6cd7414af904e395d6165e536a8d236d9
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Guloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4056-116-0x00000000021C0000-0x00000000021CA000-memory.dmp family_guloader behavioral2/memory/4004-117-0x0000000000F60000-0x0000000001060000-memory.dmp family_guloader behavioral2/memory/4004-118-0x0000000000F60000-mapping.dmp family_guloader -
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
cb03fe75572bc1d3406e9b3cda1e782e.exeieinstal.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe cb03fe75572bc1d3406e9b3cda1e782e.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe ieinstal.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ieinstal.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run ieinstal.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Teoridannel9 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HYPERBRACH\\alcoabagtungenh.exe" ieinstal.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
cb03fe75572bc1d3406e9b3cda1e782e.exeieinstal.exepid process 4056 cb03fe75572bc1d3406e9b3cda1e782e.exe 4004 ieinstal.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
cb03fe75572bc1d3406e9b3cda1e782e.exedescription pid process target process PID 4056 set thread context of 4004 4056 cb03fe75572bc1d3406e9b3cda1e782e.exe ieinstal.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
cb03fe75572bc1d3406e9b3cda1e782e.exepid process 4056 cb03fe75572bc1d3406e9b3cda1e782e.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
cb03fe75572bc1d3406e9b3cda1e782e.exepid process 4056 cb03fe75572bc1d3406e9b3cda1e782e.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cb03fe75572bc1d3406e9b3cda1e782e.exedescription pid process target process PID 4056 wrote to memory of 4004 4056 cb03fe75572bc1d3406e9b3cda1e782e.exe ieinstal.exe PID 4056 wrote to memory of 4004 4056 cb03fe75572bc1d3406e9b3cda1e782e.exe ieinstal.exe PID 4056 wrote to memory of 4004 4056 cb03fe75572bc1d3406e9b3cda1e782e.exe ieinstal.exe PID 4056 wrote to memory of 4004 4056 cb03fe75572bc1d3406e9b3cda1e782e.exe ieinstal.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb03fe75572bc1d3406e9b3cda1e782e.exe"C:\Users\Admin\AppData\Local\Temp\cb03fe75572bc1d3406e9b3cda1e782e.exe"1⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Users\Admin\AppData\Local\Temp\cb03fe75572bc1d3406e9b3cda1e782e.exe"2⤵
- Checks QEMU agent file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger