Analysis
-
max time kernel
24s -
max time network
129s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
04-05-2021 20:39
Static task
static1
Behavioral task
behavioral1
Sample
f989b3a6a8dfa3cb2de35ed0037863ba9ac2d48ea5ab411ca5ee3b6b35fcfeb5.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
f989b3a6a8dfa3cb2de35ed0037863ba9ac2d48ea5ab411ca5ee3b6b35fcfeb5.exe
Resource
win10v20210408
General
-
Target
f989b3a6a8dfa3cb2de35ed0037863ba9ac2d48ea5ab411ca5ee3b6b35fcfeb5.exe
-
Size
96KB
-
MD5
e2777087ae21f30e48b870933f7d21df
-
SHA1
ccbadd732111ab1fd9c75278176e2b592080811f
-
SHA256
f989b3a6a8dfa3cb2de35ed0037863ba9ac2d48ea5ab411ca5ee3b6b35fcfeb5
-
SHA512
27768811dfe75a765277ad13774c679301c6b88c063d7125d06704522363eaa42539bc928c88d5fb765900746fe06d47e8b75a31abe8c4641df34ddb45e50a80
Malware Config
Extracted
guloader
http://172.93.162.253/bin_XWGtFJzI218.bin
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Guloader Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/648-116-0x0000000002300000-0x000000000230D000-memory.dmp family_guloader -
Checks QEMU agent state file 2 TTPs 1 IoCs
Checks state file used by QEMU agent, possibly to detect virtualization.
Processes:
f989b3a6a8dfa3cb2de35ed0037863ba9ac2d48ea5ab411ca5ee3b6b35fcfeb5.exedescription ioc process File opened (read-only) C:\ProgramData\qemu-ga\qga.state f989b3a6a8dfa3cb2de35ed0037863ba9ac2d48ea5ab411ca5ee3b6b35fcfeb5.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
f989b3a6a8dfa3cb2de35ed0037863ba9ac2d48ea5ab411ca5ee3b6b35fcfeb5.exepid process 648 f989b3a6a8dfa3cb2de35ed0037863ba9ac2d48ea5ab411ca5ee3b6b35fcfeb5.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
f989b3a6a8dfa3cb2de35ed0037863ba9ac2d48ea5ab411ca5ee3b6b35fcfeb5.exepid process 648 f989b3a6a8dfa3cb2de35ed0037863ba9ac2d48ea5ab411ca5ee3b6b35fcfeb5.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f989b3a6a8dfa3cb2de35ed0037863ba9ac2d48ea5ab411ca5ee3b6b35fcfeb5.exe"C:\Users\Admin\AppData\Local\Temp\f989b3a6a8dfa3cb2de35ed0037863ba9ac2d48ea5ab411ca5ee3b6b35fcfeb5.exe"1⤵
- Checks QEMU agent state file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/648-116-0x0000000002300000-0x000000000230D000-memory.dmpFilesize
52KB