guloader | 50867b76113d37d59ecb36a9704bc4bac648e474853c4052cea1b5fb36f807af

Analysis

max time kernel
8s
max time network
13s
platform
windows7_x64
resource
win7v20210408
submitted
09-05-2021 16:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50867b76113d37d59ecb36a9704bc4bac648e474853c4052cea1b5fb36f807af.exe
Size

108KB
MD5

c1bbb80a3a9617259a87b1be77215c97
SHA1

1f176833a49f04aff11ed74580b5dfc725cf20bd
SHA256

50867b76113d37d59ecb36a9704bc4bac648e474853c4052cea1b5fb36f807af
SHA512

3046ffd635074341d28924b480d0d62bcaff798f92aaf36ec1980de4e27f93a01494720fece7bbd1e3115c5568b281034a791949f46554003b6ad008f0e60604

Score

10^/10

guloader downloader guloader

Malware Config

Extracted

Family

guloader

https://www.mediafire.com/file/bg09a2z8p0ojruh/origin_dwqUQLYCkO21.bin/file

xor.base64

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Guloader Payload 1 IoCs

guloader

Processes:

resource	yara_rule
behavioral1/memory/940-61-0x0000000000270000-0x000000000027A000-memory.dmp	family_guloader

Checks QEMU agent state file 2 TTPs 1 IoCs
Checks state file used by QEMU agent, possibly to detect virtualization.

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

50867b76113d37d59ecb36a9704bc4bac648e474853c4052cea1b5fb36f807af.exe

description ioc process

File opened (read-only) C:\ProgramData\qemu-ga\qga.state 50867b76113d37d59ecb36a9704bc4bac648e474853c4052cea1b5fb36f807af.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

50867b76113d37d59ecb36a9704bc4bac648e474853c4052cea1b5fb36f807af.exe

pid process

940 50867b76113d37d59ecb36a9704bc4bac648e474853c4052cea1b5fb36f807af.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

50867b76113d37d59ecb36a9704bc4bac648e474853c4052cea1b5fb36f807af.exe

pid process

940 50867b76113d37d59ecb36a9704bc4bac648e474853c4052cea1b5fb36f807af.exe

description	ioc	process
File opened (read-only)	C:\ProgramData\qemu-ga\qga.state	50867b76113d37d59ecb36a9704bc4bac648e474853c4052cea1b5fb36f807af.exe

pid	process
940	50867b76113d37d59ecb36a9704bc4bac648e474853c4052cea1b5fb36f807af.exe

pid	process
940	50867b76113d37d59ecb36a9704bc4bac648e474853c4052cea1b5fb36f807af.exe

C:\Users\Admin\AppData\Local\Temp\50867b76113d37d59ecb36a9704bc4bac648e474853c4052cea1b5fb36f807af.exe
"C:\Users\Admin\AppData\Local\Temp\50867b76113d37d59ecb36a9704bc4bac648e474853c4052cea1b5fb36f807af.exe"
1⤵
- Checks QEMU agent state file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:940

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/940-61-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download