Analysis
-
max time kernel
22s -
max time network
14s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
11-05-2021 13:02
Static task
static1
Behavioral task
behavioral1
Sample
5da6c70f145dcb4c50abe95e6b641d3a4c24fbc74f02b19aa40e574b25eaecba.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
5da6c70f145dcb4c50abe95e6b641d3a4c24fbc74f02b19aa40e574b25eaecba.exe
Resource
win10v20210410
General
-
Target
5da6c70f145dcb4c50abe95e6b641d3a4c24fbc74f02b19aa40e574b25eaecba.exe
-
Size
140KB
-
MD5
3faa4f81a11ffdcb983e3dcf1362cef5
-
SHA1
e51450139609ec06e9aae677005d8c1a90813d38
-
SHA256
5da6c70f145dcb4c50abe95e6b641d3a4c24fbc74f02b19aa40e574b25eaecba
-
SHA512
223e134da32667363fd813f37ceb669c2797f117d93a9738cf6b463d61a251e253cfcf12d9fba313a863c67ac5758836717bd74d163653f1fcc9e861c53dac2b
Malware Config
Extracted
guloader
https://drive.google.com/uc?export=download&id=1a5-u_da6L5rWTAc_KR-zeONezIDI0K2b
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Guloader Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/540-62-0x0000000000330000-0x000000000033A000-memory.dmp family_guloader -
Checks QEMU agent state file 2 TTPs 1 IoCs
Checks state file used by QEMU agent, possibly to detect virtualization.
Processes:
5da6c70f145dcb4c50abe95e6b641d3a4c24fbc74f02b19aa40e574b25eaecba.exedescription ioc process File opened (read-only) C:\ProgramData\qemu-ga\qga.state 5da6c70f145dcb4c50abe95e6b641d3a4c24fbc74f02b19aa40e574b25eaecba.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
5da6c70f145dcb4c50abe95e6b641d3a4c24fbc74f02b19aa40e574b25eaecba.exepid process 540 5da6c70f145dcb4c50abe95e6b641d3a4c24fbc74f02b19aa40e574b25eaecba.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
5da6c70f145dcb4c50abe95e6b641d3a4c24fbc74f02b19aa40e574b25eaecba.exepid process 540 5da6c70f145dcb4c50abe95e6b641d3a4c24fbc74f02b19aa40e574b25eaecba.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5da6c70f145dcb4c50abe95e6b641d3a4c24fbc74f02b19aa40e574b25eaecba.exe"C:\Users\Admin\AppData\Local\Temp\5da6c70f145dcb4c50abe95e6b641d3a4c24fbc74f02b19aa40e574b25eaecba.exe"1⤵
- Checks QEMU agent state file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/540-62-0x0000000000330000-0x000000000033A000-memory.dmpFilesize
40KB