General

  • Target

    dbaa7c78967b5940aeab47df359e9a365f64e91019e8e45385eb5f248922da88

  • Size

    84KB

  • Sample

    210508-qpb5j4zjwj

  • MD5

    eac11af6b1c0d12ae39ef490e7916067

  • SHA1

    d3ce19add02073a36627919e5c8c82f8d182d6fa

  • SHA256

    dbaa7c78967b5940aeab47df359e9a365f64e91019e8e45385eb5f248922da88

  • SHA512

    03edd7a6e6fad15b9110321a7ece4f782d8f0163e4eb43225d0e63a386d108f7c5f4ad8c5b0decaa7b580498b779fb53a035f9c1b17ae0465ed42cce797d5c74

Malware Config

Extracted

Family

guloader

C2

https://drive.google.com/uc?export=download&id=1hQILvhuKCpLHCDyIe1Ixva67uM_ixN1N

xor.base64

Targets

    • Target

      dbaa7c78967b5940aeab47df359e9a365f64e91019e8e45385eb5f248922da88

    • Size

      84KB

    • MD5

      eac11af6b1c0d12ae39ef490e7916067

    • SHA1

      d3ce19add02073a36627919e5c8c82f8d182d6fa

    • SHA256

      dbaa7c78967b5940aeab47df359e9a365f64e91019e8e45385eb5f248922da88

    • SHA512

      03edd7a6e6fad15b9110321a7ece4f782d8f0163e4eb43225d0e63a386d108f7c5f4ad8c5b0decaa7b580498b779fb53a035f9c1b17ae0465ed42cce797d5c74

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Guloader Payload

    • Checks QEMU agent state file

      Checks state file used by QEMU agent, possibly to detect virtualization.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Discovery

Query Registry

1
T1012

Virtualization/Sandbox Evasion

1
T1497

Tasks