guloader | 9cf082ab9112e7e03fcbfa7d20a1f7c10c4eaafd8fe2c59aef527dc8dac58ef8

Analysis

max time kernel
8s
max time network
43s
platform
windows7_x64
resource
win7v20210408
submitted
08-05-2021 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9cf082ab9112e7e03fcbfa7d20a1f7c10c4eaafd8fe2c59aef527dc8dac58ef8.exe
Size

140KB
MD5

7deecd28ccb949d5c855dacc980298f2
SHA1

3a5cdb7227fdf47ded4ff1fe1dd38cfa502eea84
SHA256

9cf082ab9112e7e03fcbfa7d20a1f7c10c4eaafd8fe2c59aef527dc8dac58ef8
SHA512

f1d1b66497bd2deea07392cdafe5a07284cdbba2e9e9c17978d35a7094d605b40e525222759e64d473d13b0356e344c0e3efed16bc5a6e14b380b67b5c9b452b

Score

10^/10

guloader downloader guloader

Malware Config

Extracted

Family

guloader

https://drive.google.com/uc?export=download&id=16HNLjxnV8VDMTThcctq09H1-RlR7b_vX

xor.base64

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Guloader Payload 1 IoCs

guloader

Processes:

resource	yara_rule
behavioral1/memory/788-62-0x00000000003C0000-0x00000000003CA000-memory.dmp	family_guloader

Checks QEMU agent state file 2 TTPs 1 IoCs
Checks state file used by QEMU agent, possibly to detect virtualization.

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

9cf082ab9112e7e03fcbfa7d20a1f7c10c4eaafd8fe2c59aef527dc8dac58ef8.exe

description ioc process

File opened (read-only) C:\ProgramData\qemu-ga\qga.state 9cf082ab9112e7e03fcbfa7d20a1f7c10c4eaafd8fe2c59aef527dc8dac58ef8.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

9cf082ab9112e7e03fcbfa7d20a1f7c10c4eaafd8fe2c59aef527dc8dac58ef8.exe

pid process

788 9cf082ab9112e7e03fcbfa7d20a1f7c10c4eaafd8fe2c59aef527dc8dac58ef8.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

9cf082ab9112e7e03fcbfa7d20a1f7c10c4eaafd8fe2c59aef527dc8dac58ef8.exe

pid process

788 9cf082ab9112e7e03fcbfa7d20a1f7c10c4eaafd8fe2c59aef527dc8dac58ef8.exe

description	ioc	process
File opened (read-only)	C:\ProgramData\qemu-ga\qga.state	9cf082ab9112e7e03fcbfa7d20a1f7c10c4eaafd8fe2c59aef527dc8dac58ef8.exe

pid	process
788	9cf082ab9112e7e03fcbfa7d20a1f7c10c4eaafd8fe2c59aef527dc8dac58ef8.exe

pid	process
788	9cf082ab9112e7e03fcbfa7d20a1f7c10c4eaafd8fe2c59aef527dc8dac58ef8.exe

C:\Users\Admin\AppData\Local\Temp\9cf082ab9112e7e03fcbfa7d20a1f7c10c4eaafd8fe2c59aef527dc8dac58ef8.exe
"C:\Users\Admin\AppData\Local\Temp\9cf082ab9112e7e03fcbfa7d20a1f7c10c4eaafd8fe2c59aef527dc8dac58ef8.exe"
1⤵
- Checks QEMU agent state file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:788

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/788-62-0x00000000003C0000-0x00000000003CA000-memory.dmp

Filesize
40KB

Download