General

  • Target

    c9c0180eba2a712f1aba1303b90cbf12c1117451ce13b68715931abc437b10cd

  • Size

    52KB

  • Sample

    220124-dyc8mabbfq

  • MD5

    a3042b64c0c3086b890cc3f6cfb334dd

  • SHA1

    c87ed1aecb4936031222882b873af31341b6dd69

  • SHA256

    c9c0180eba2a712f1aba1303b90cbf12c1117451ce13b68715931abc437b10cd

  • SHA512

    a05786ef94fbc2f5c1ee40c6c4c63f316eabd6f0cf3ffef7bd84ca523324d60ea714345b89890db3cf1e90c52af4b0f03edb636b2f25e041772b6ae07808439c

Malware Config

Extracted

Family

guloader

C2

https://share.dmca.gripe/jUuWPW6ONwL1Wkux.bin

xor.base64

Targets

    • Target

      c9c0180eba2a712f1aba1303b90cbf12c1117451ce13b68715931abc437b10cd

    • Size

      52KB

    • MD5

      a3042b64c0c3086b890cc3f6cfb334dd

    • SHA1

      c87ed1aecb4936031222882b873af31341b6dd69

    • SHA256

      c9c0180eba2a712f1aba1303b90cbf12c1117451ce13b68715931abc437b10cd

    • SHA512

      a05786ef94fbc2f5c1ee40c6c4c63f316eabd6f0cf3ffef7bd84ca523324d60ea714345b89890db3cf1e90c52af4b0f03edb636b2f25e041772b6ae07808439c

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Tasks