guloader | 058ee0434baf472713da384ee3ba273f64995b9c7f83b7e62a8b3285b334b2cf

General

Target

5262da4295e8a62d58d17991b35bf860
Size

124KB
Sample

211019-pvn2hagfgp
MD5

5262da4295e8a62d58d17991b35bf860
SHA1

3fba37528f6b06d2c89c7d86ce6352df438f1855
SHA256

058ee0434baf472713da384ee3ba273f64995b9c7f83b7e62a8b3285b334b2cf
SHA512

8a82d10997e8b64ab12688e6cb909e405644bfcf2ed0e47df9c16009bf1ae415c17bc5a0cc27717d34f6f5484ca27fe026893b4637ea01cb1209dd0427574c18

Score

10^/10

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

fs3g

C2

http://www.indigenousjobsearch.com/fs3g/

Decoy

juliorodriguez.info

koglifestylegym.com

matrixrecruits.com

tes5ci.com

firlefanz.digital

funkyladybug.com

susneh.com

polistanok.space

theindiahub.com

bigmargintennis.com

ti-talk.com

onejmj.com

ff4ca2623.xyz

mtzion-tn.com

yidiaodiaosu.com

dadsgaragedoor.com

rigs-4u.com

jiaoyimaojiyu2.xyz

evcay.com

appmxt.com

Targets

- Target
  
  5262da4295e8a62d58d17991b35bf860
- Size
  
  124KB
- MD5
  
  5262da4295e8a62d58d17991b35bf860
- SHA1
  
  3fba37528f6b06d2c89c7d86ce6352df438f1855
- SHA256
  
  058ee0434baf472713da384ee3ba273f64995b9c7f83b7e62a8b3285b334b2cf
- SHA512
  
  8a82d10997e8b64ab12688e6cb909e405644bfcf2ed0e47df9c16009bf1ae415c17bc5a0cc27717d34f6f5484ca27fe026893b4637ea01cb1209dd0427574c18
Score

10^/10

guloader downloader xloader fs3g loader rat suricata
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Xloader Payload
  rat
- Executes dropped EXE
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Guloader,Cloudeye

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Xloader Payload

Executes dropped EXE

Checks QEMU agent file

Loads dropped DLL

Enumerates connected drives

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2