guloader | 6f8a836d10eada55bb1d3901ceb5b97711afc9f7018e3bd0f0a8e77521f18e5b

Analysis

max time kernel
127s
max time network
153s
platform
windows10_x64
resource
win10-en-20211208
submitted
25-01-2022 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.exe
Size

112KB
MD5

ae871d1957030344d4cefc7295a1e964
SHA1

73e0d642d14ca3dcfca3d22fa2312968d1ba5cd6
SHA256

6f8a836d10eada55bb1d3901ceb5b97711afc9f7018e3bd0f0a8e77521f18e5b
SHA512

bc5a39f9a86bc6d461c32a947a61d7bbd0dd8ae93700bc9e3e984b33df6b9a0fac0e8dd71ca50e8dcfee9314bd00824fd4ec507c66e22e4bd20c1edf0dad4679

Score

10^/10

guloader downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1.exe1.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	1.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	1.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

1.exe1.exe

pid process

1132 1.exe
2236 1.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

1.exe

description pid process target process

PID 1132 set thread context of 2236 1132 1.exe 1.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

1.exe

pid process

1132 1.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

1.exe

pid process

1132 1.exe

pid	process
1132	1.exe
2236	1.exe

description	pid	process	target process
PID 1132 set thread context of 2236	1132	1.exe	1.exe

pid	process
1132	1.exe

pid	process
1132	1.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

1.exe

description	pid	process	target process
PID 1132 wrote to memory of 2236	1132	1.exe	1.exe
PID 1132 wrote to memory of 2236	1132	1.exe	1.exe
PID 1132 wrote to memory of 2236	1132	1.exe	1.exe
PID 1132 wrote to memory of 2236	1132	1.exe	1.exe

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1132

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
2⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2236

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1132-117-0x0000000002380000-0x0000000002393000-memory.dmp

Filesize
76KB

Download
memory/1132-118-0x00007FFE2E720000-0x00007FFE2E8FB000-memory.dmp

Filesize
1.9MB

Download
memory/1132-119-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/1132-121-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/2236-120-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2236-123-0x0000000000401000-0x00000000004FD000-memory.dmp

Filesize
1008KB

Download
memory/2236-124-0x0000000000560000-0x0000000000710000-memory.dmp

Filesize
1.7MB

Download
memory/2236-125-0x00007FFE2E720000-0x00007FFE2E8FB000-memory.dmp

Filesize
1.9MB

Download
memory/2236-126-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download