guloader | 5da6c70f145dcb4c50abe95e6b641d3a4c24fbc74f02b19aa40e574b25eaecba

Analysis

max time kernel
22s
max time network
14s
platform
windows7_x64
resource
win7v20210410
submitted
11-05-2021 13:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5da6c70f145dcb4c50abe95e6b641d3a4c24fbc74f02b19aa40e574b25eaecba.exe
Size

140KB
MD5

3faa4f81a11ffdcb983e3dcf1362cef5
SHA1

e51450139609ec06e9aae677005d8c1a90813d38
SHA256

5da6c70f145dcb4c50abe95e6b641d3a4c24fbc74f02b19aa40e574b25eaecba
SHA512

223e134da32667363fd813f37ceb669c2797f117d93a9738cf6b463d61a251e253cfcf12d9fba313a863c67ac5758836717bd74d163653f1fcc9e861c53dac2b

Score

10^/10

guloader downloader guloader

Malware Config

Extracted

Family

guloader

https://drive.google.com/uc?export=download&id=1a5-u_da6L5rWTAc_KR-zeONezIDI0K2b

xor.base64

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Guloader Payload 1 IoCs

guloader

Processes:

resource	yara_rule
behavioral1/memory/540-62-0x0000000000330000-0x000000000033A000-memory.dmp	family_guloader

Checks QEMU agent state file 2 TTPs 1 IoCs
Checks state file used by QEMU agent, possibly to detect virtualization.

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

5da6c70f145dcb4c50abe95e6b641d3a4c24fbc74f02b19aa40e574b25eaecba.exe

description ioc process

File opened (read-only) C:\ProgramData\qemu-ga\qga.state 5da6c70f145dcb4c50abe95e6b641d3a4c24fbc74f02b19aa40e574b25eaecba.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

5da6c70f145dcb4c50abe95e6b641d3a4c24fbc74f02b19aa40e574b25eaecba.exe

pid process

540 5da6c70f145dcb4c50abe95e6b641d3a4c24fbc74f02b19aa40e574b25eaecba.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

5da6c70f145dcb4c50abe95e6b641d3a4c24fbc74f02b19aa40e574b25eaecba.exe

pid process

540 5da6c70f145dcb4c50abe95e6b641d3a4c24fbc74f02b19aa40e574b25eaecba.exe

description	ioc	process
File opened (read-only)	C:\ProgramData\qemu-ga\qga.state	5da6c70f145dcb4c50abe95e6b641d3a4c24fbc74f02b19aa40e574b25eaecba.exe

pid	process
540	5da6c70f145dcb4c50abe95e6b641d3a4c24fbc74f02b19aa40e574b25eaecba.exe

pid	process
540	5da6c70f145dcb4c50abe95e6b641d3a4c24fbc74f02b19aa40e574b25eaecba.exe

C:\Users\Admin\AppData\Local\Temp\5da6c70f145dcb4c50abe95e6b641d3a4c24fbc74f02b19aa40e574b25eaecba.exe
"C:\Users\Admin\AppData\Local\Temp\5da6c70f145dcb4c50abe95e6b641d3a4c24fbc74f02b19aa40e574b25eaecba.exe"
1⤵
- Checks QEMU agent state file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:540

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/540-62-0x0000000000330000-0x000000000033A000-memory.dmp

Filesize
40KB

Download