Analysis
-
max time kernel
88s -
max time network
154s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
22-04-2021 12:04
Static task
static1
Behavioral task
behavioral1
Sample
981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4.exe
Resource
win10v20210408
General
-
Target
981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4.exe
-
Size
156KB
-
MD5
d5b8e2ce449917bf395454082de6cba9
-
SHA1
fe872c03ceef39422218003bc5a34be4faf47e55
-
SHA256
981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4
-
SHA512
54dc37f2345a4b70786920c80adf8c1fc72c9ab97edf95b239453c081ab221134fbbc8ae8d8fd3ce635d4b3aec8f42fbc44005930e917e10e1a72cbd5e442e48
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Guloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/900-116-0x0000000002160000-0x000000000216D000-memory.dmp family_guloader behavioral2/memory/2316-117-0x0000000000F9CE5E-mapping.dmp family_guloader behavioral2/memory/2316-118-0x0000000001370000-0x0000000001470000-memory.dmp family_guloader -
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4.exeRegAsm.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe 981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe RegAsm.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4.exeRegAsm.exepid process 900 981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4.exe 2316 RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4.exedescription pid process target process PID 900 set thread context of 2316 900 981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4.exe RegAsm.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4.exepid process 900 981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4.exepid process 900 981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4.exedescription pid process target process PID 900 wrote to memory of 2316 900 981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4.exe RegAsm.exe PID 900 wrote to memory of 2316 900 981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4.exe RegAsm.exe PID 900 wrote to memory of 2316 900 981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4.exe RegAsm.exe PID 900 wrote to memory of 2316 900 981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4.exe"C:\Users\Admin\AppData\Local\Temp\981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4.exe"1⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Users\Admin\AppData\Local\Temp\981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4.exe"2⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger