Overview

overview

10

Static

static

Proforma Invoice.exe

windows7_x64

10

Proforma Invoice.exe

windows10_x64

10

Analysis

  • max time kernel
    166s
  • max time network
    188s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    21-01-2022 22:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Proforma Invoice.exe

  • Size

    64KB

  • MD5

    d09f1e15cbc187edc5792c61d8670a09

  • SHA1

    2b7059a6964b634dd7bb372b5e62c38887b8e93d

  • SHA256

    3561b08594d47d1c827ef76518197472532bfae0ffb9329711f51dc0ee9bdf2a

  • SHA512

    f5c4436dc0dc002785d6574614ed2f9d2b3b175f3e14fa546dd131736d2cc263de289dd818940c5a61ca536616b48b69a0245698f2cdef6e5f2a4bc450fdec27

Score
10/10
guloaderdownloader

Malware Config

Extracted

Family

guloader

C2

https://drive.google.com/uc?export=download&id=1t2kWSyeWJ0Nxuf3Q0XWr6hhlOTDB_4Og

xor.base64

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Proforma Invoice.exe
    "C:\Users\Admin\AppData\Local\Temp\Proforma Invoice.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:348
    • C:\Users\Admin\AppData\Local\Temp\Proforma Invoice.exe
      "C:\Users\Admin\AppData\Local\Temp\Proforma Invoice.exe"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:3280

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/348-117-0x00000000029B0000-0x00000000029B8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/348-118-0x00007FF908730000-0x00007FF90890B000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/348-119-0x0000000077570000-0x00000000776FE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3280-120-0x0000000000400000-0x0000000000553000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/3280-122-0x0000000000401000-0x00000000004FD000-memory.dmp
    Filesize

    1008KB

    Download
  • memory/3280-123-0x0000000000560000-0x0000000000820000-memory.dmp
    Filesize

    2.8MB

    Download
  • memory/3280-124-0x00007FF908730000-0x00007FF90890B000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/3280-125-0x0000000077570000-0x00000000776FE000-memory.dmp
    Filesize

    1.6MB

    Download