General

  • Target

    f989b3a6a8dfa3cb2de35ed0037863ba9ac2d48ea5ab411ca5ee3b6b35fcfeb5

  • Size

    96KB

  • Sample

    210504-2nltt4mcv6

  • MD5

    e2777087ae21f30e48b870933f7d21df

  • SHA1

    ccbadd732111ab1fd9c75278176e2b592080811f

  • SHA256

    f989b3a6a8dfa3cb2de35ed0037863ba9ac2d48ea5ab411ca5ee3b6b35fcfeb5

  • SHA512

    27768811dfe75a765277ad13774c679301c6b88c063d7125d06704522363eaa42539bc928c88d5fb765900746fe06d47e8b75a31abe8c4641df34ddb45e50a80

Malware Config

Extracted

Family

guloader

C2

http://172.93.162.253/bin_XWGtFJzI218.bin

xor.base64

Targets

    • Target

      f989b3a6a8dfa3cb2de35ed0037863ba9ac2d48ea5ab411ca5ee3b6b35fcfeb5

    • Size

      96KB

    • MD5

      e2777087ae21f30e48b870933f7d21df

    • SHA1

      ccbadd732111ab1fd9c75278176e2b592080811f

    • SHA256

      f989b3a6a8dfa3cb2de35ed0037863ba9ac2d48ea5ab411ca5ee3b6b35fcfeb5

    • SHA512

      27768811dfe75a765277ad13774c679301c6b88c063d7125d06704522363eaa42539bc928c88d5fb765900746fe06d47e8b75a31abe8c4641df34ddb45e50a80

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Guloader Payload

    • Checks QEMU agent state file

      Checks state file used by QEMU agent, possibly to detect virtualization.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Discovery

Query Registry

1
T1012

Virtualization/Sandbox Evasion

1
T1497

Tasks