guloader | 502289d544b27378272f693a139db58e368f4870be91ff2510a4b1c99635ea22

General

Target

Order List from Dunen Enterprise Corporation.exe
Size

128KB
MD5

744d832006910318b2826e4cc8db4b11
SHA1

b58f485d5153dc4cb1a608091e1174d6fc966a4a
SHA256

e015835dd69bbd384cb9b347984b648562281ba9e532ca110b6962bce9262251
SHA512

2ef7a81389e03fe8cdaa42e39e9df842d811b87b97d50e915e01d8fa35e3eaa49f7aaa03aa5a534e3413a636d3bf011ff9774a4b5b2553fbecef24aa8425deb4

Score

10^/10

guloader xloader hhse downloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

hhse

C2

http://www.mx-online-service.xyz/hhse/

Decoy

gujranwala.city

peinture-san-deco.com

disvapes.com

tekst-sanderlei.com

veryfastsnail.com

yaqiong.net

onlinebingocenter.com

kenttreesurgery.com

berislavic.com

ecomemailspack.com

drgustavoteyssier.com

mayfieldslodge.com

qiubaolink.com

kevinkensik.com

boatmanagementexpert.com

dbylkov.com

griffin-designs.com

glowlikethis.com

fuckjules.com

lxqc6688.com

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4024-126-0x0000000000401000-0x0000000000541000-memory.dmp	xloader

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Order List from Dunen Enterprise Corporation.exeOrder List from Dunen Enterprise Corporation.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	Order List from Dunen Enterprise Corporation.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	Order List from Dunen Enterprise Corporation.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

Order List from Dunen Enterprise Corporation.exeOrder List from Dunen Enterprise Corporation.exe

pid	process
4016	Order List from Dunen Enterprise Corporation.exe
4024	Order List from Dunen Enterprise Corporation.exe
4024	Order List from Dunen Enterprise Corporation.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Order List from Dunen Enterprise Corporation.exeOrder List from Dunen Enterprise Corporation.exe

description	pid	process	target process
PID 4016 set thread context of 4024	4016	Order List from Dunen Enterprise Corporation.exe	Order List from Dunen Enterprise Corporation.exe
PID 4024 set thread context of 3028	4024	Order List from Dunen Enterprise Corporation.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Order List from Dunen Enterprise Corporation.exe

pid	process
4024	Order List from Dunen Enterprise Corporation.exe
4024	Order List from Dunen Enterprise Corporation.exe
4024	Order List from Dunen Enterprise Corporation.exe
4024	Order List from Dunen Enterprise Corporation.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

Order List from Dunen Enterprise Corporation.exeOrder List from Dunen Enterprise Corporation.exe

pid process

4016 Order List from Dunen Enterprise Corporation.exe
4024 Order List from Dunen Enterprise Corporation.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Order List from Dunen Enterprise Corporation.exe

description pid process

Token: SeDebugPrivilege 4024 Order List from Dunen Enterprise Corporation.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Order List from Dunen Enterprise Corporation.exe

pid process

4016 Order List from Dunen Enterprise Corporation.exe

description	pid	process
Token: SeDebugPrivilege	4024	Order List from Dunen Enterprise Corporation.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

Order List from Dunen Enterprise Corporation.exeExplorer.EXE

description	pid	process	target process
PID 4016 wrote to memory of 4024	4016	Order List from Dunen Enterprise Corporation.exe	Order List from Dunen Enterprise Corporation.exe
PID 4016 wrote to memory of 4024	4016	Order List from Dunen Enterprise Corporation.exe	Order List from Dunen Enterprise Corporation.exe
PID 4016 wrote to memory of 4024	4016	Order List from Dunen Enterprise Corporation.exe	Order List from Dunen Enterprise Corporation.exe
PID 4016 wrote to memory of 4024	4016	Order List from Dunen Enterprise Corporation.exe	Order List from Dunen Enterprise Corporation.exe
PID 3028 wrote to memory of 3768	3028	Explorer.EXE	chkdsk.exe
PID 3028 wrote to memory of 3768	3028	Explorer.EXE	chkdsk.exe
PID 3028 wrote to memory of 3768	3028	Explorer.EXE	chkdsk.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3028

C:\Users\Admin\AppData\Local\Temp\Order List from Dunen Enterprise Corporation.exe
"C:\Users\Admin\AppData\Local\Temp\Order List from Dunen Enterprise Corporation.exe"
2⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4016

C:\Users\Admin\AppData\Local\Temp\Order List from Dunen Enterprise Corporation.exe
"C:\Users\Admin\AppData\Local\Temp\Order List from Dunen Enterprise Corporation.exe"
3⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4024

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
PID:3768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3028-129-0x0000000002E20000-0x0000000002EF6000-memory.dmp

Filesize
856KB

Download
memory/4016-121-0x0000000077870000-0x00000000779FE000-memory.dmp

Filesize
1.6MB

Download
memory/4016-122-0x0000000077870000-0x00000000779FE000-memory.dmp

Filesize
1.6MB

Download
memory/4016-116-0x0000000002310000-0x0000000002321000-memory.dmp

Filesize
68KB

Download
memory/4016-120-0x00007FFB9C4F0000-0x00007FFB9C6CB000-memory.dmp

Filesize
1.9MB

Download
memory/4024-119-0x0000000000401000-0x00000000004FD000-memory.dmp

Filesize
1008KB

Download
memory/4024-118-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/4024-123-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/4024-125-0x0000000077870000-0x00000000779FE000-memory.dmp

Filesize
1.6MB

Download
memory/4024-124-0x00007FFB9C4F0000-0x00007FFB9C6CB000-memory.dmp

Filesize
1.9MB

Download
memory/4024-126-0x0000000000401000-0x0000000000541000-memory.dmp

Filesize
1.2MB

Download
memory/4024-127-0x000000001E820000-0x000000001EB40000-memory.dmp

Filesize
3.1MB

Download
memory/4024-128-0x000000001E620000-0x000000001E630000-memory.dmp

Filesize
64KB

Download
memory/4024-117-0x0000000000401574-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads