Analysis
-
max time kernel
16s -
max time network
17s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
08-05-2021 21:59
Static task
static1
Behavioral task
behavioral1
Sample
dbaa7c78967b5940aeab47df359e9a365f64e91019e8e45385eb5f248922da88.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
dbaa7c78967b5940aeab47df359e9a365f64e91019e8e45385eb5f248922da88.exe
Resource
win10v20210408
General
-
Target
dbaa7c78967b5940aeab47df359e9a365f64e91019e8e45385eb5f248922da88.exe
-
Size
84KB
-
MD5
eac11af6b1c0d12ae39ef490e7916067
-
SHA1
d3ce19add02073a36627919e5c8c82f8d182d6fa
-
SHA256
dbaa7c78967b5940aeab47df359e9a365f64e91019e8e45385eb5f248922da88
-
SHA512
03edd7a6e6fad15b9110321a7ece4f782d8f0163e4eb43225d0e63a386d108f7c5f4ad8c5b0decaa7b580498b779fb53a035f9c1b17ae0465ed42cce797d5c74
Malware Config
Extracted
guloader
https://drive.google.com/uc?export=download&id=1hQILvhuKCpLHCDyIe1Ixva67uM_ixN1N
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Guloader Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1996-62-0x0000000000270000-0x000000000027A000-memory.dmp family_guloader -
Checks QEMU agent state file 2 TTPs 1 IoCs
Checks state file used by QEMU agent, possibly to detect virtualization.
Processes:
dbaa7c78967b5940aeab47df359e9a365f64e91019e8e45385eb5f248922da88.exedescription ioc process File opened (read-only) C:\ProgramData\qemu-ga\qga.state dbaa7c78967b5940aeab47df359e9a365f64e91019e8e45385eb5f248922da88.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
dbaa7c78967b5940aeab47df359e9a365f64e91019e8e45385eb5f248922da88.exepid process 1996 dbaa7c78967b5940aeab47df359e9a365f64e91019e8e45385eb5f248922da88.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
dbaa7c78967b5940aeab47df359e9a365f64e91019e8e45385eb5f248922da88.exepid process 1996 dbaa7c78967b5940aeab47df359e9a365f64e91019e8e45385eb5f248922da88.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dbaa7c78967b5940aeab47df359e9a365f64e91019e8e45385eb5f248922da88.exe"C:\Users\Admin\AppData\Local\Temp\dbaa7c78967b5940aeab47df359e9a365f64e91019e8e45385eb5f248922da88.exe"1⤵
- Checks QEMU agent state file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1996-62-0x0000000000270000-0x000000000027A000-memory.dmpFilesize
40KB