guloader | 63b5c9b0e21398b428814cc2f391397ce81342682a0be100c5d5d50a846d56cd

Analysis

max time kernel
132s
max time network
135s
platform
windows7_x64
resource
win7v20210410
submitted
05-05-2021 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63b5c9b0e21398b428814cc2f391397ce81342682a0be100c5d5d50a846d56cd.exe
Size

96KB
MD5

6069bf9742a8ce15f44e35405c861540
SHA1

f3a763465ca3f12b00955d3a1d017b3a2d47049d
SHA256

63b5c9b0e21398b428814cc2f391397ce81342682a0be100c5d5d50a846d56cd
SHA512

7b3e467510d93f3c65d893fee5d58aba66754543232df8d1c05fa32a96299cb8a5df49a89fac469e784f1625cb70c26802fd799ca5c6e5095b334c1c04c462a1

Score

10^/10

guloader downloader guloader

Malware Config

Extracted

Family

guloader

http://172.93.162.253/bin_WJoRuvaovF116.bin

xor.base64

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Guloader Payload 1 IoCs

guloader

Processes:

resource	yara_rule
behavioral1/memory/1672-61-0x0000000000270000-0x000000000027D000-memory.dmp	family_guloader

Checks QEMU agent state file 2 TTPs 1 IoCs
Checks state file used by QEMU agent, possibly to detect virtualization.

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

63b5c9b0e21398b428814cc2f391397ce81342682a0be100c5d5d50a846d56cd.exe

description ioc process

File opened (read-only) C:\ProgramData\qemu-ga\qga.state 63b5c9b0e21398b428814cc2f391397ce81342682a0be100c5d5d50a846d56cd.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

63b5c9b0e21398b428814cc2f391397ce81342682a0be100c5d5d50a846d56cd.exe

pid process

1672 63b5c9b0e21398b428814cc2f391397ce81342682a0be100c5d5d50a846d56cd.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

63b5c9b0e21398b428814cc2f391397ce81342682a0be100c5d5d50a846d56cd.exe

pid process

1672 63b5c9b0e21398b428814cc2f391397ce81342682a0be100c5d5d50a846d56cd.exe

description	ioc	process
File opened (read-only)	C:\ProgramData\qemu-ga\qga.state	63b5c9b0e21398b428814cc2f391397ce81342682a0be100c5d5d50a846d56cd.exe

pid	process
1672	63b5c9b0e21398b428814cc2f391397ce81342682a0be100c5d5d50a846d56cd.exe

pid	process
1672	63b5c9b0e21398b428814cc2f391397ce81342682a0be100c5d5d50a846d56cd.exe

C:\Users\Admin\AppData\Local\Temp\63b5c9b0e21398b428814cc2f391397ce81342682a0be100c5d5d50a846d56cd.exe
"C:\Users\Admin\AppData\Local\Temp\63b5c9b0e21398b428814cc2f391397ce81342682a0be100c5d5d50a846d56cd.exe"
1⤵
- Checks QEMU agent state file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1672

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1672-61-0x0000000000270000-0x000000000027D000-memory.dmp

Filesize
52KB

Download