General
-
Target
7b6851070b0fe114e9a5f475afedba1729251ca694a223ffccb6dad12c340120
-
Size
26KB
-
Sample
220521-w75ncabbc6
-
MD5
bb238138a1ec08119d3af9a9fdb4afa8
-
SHA1
2ce5f74137e4b3cd3edf5949f59b14721c021f78
-
SHA256
7b6851070b0fe114e9a5f475afedba1729251ca694a223ffccb6dad12c340120
-
SHA512
466cfac77d47a51b1c74fbc37821fec2c71b5db9e98e5141ebcc8343d356cb779bf90fde273ffcbcbb1e083407411aeb2ce79adde6decf5c92b422789730f422
Static task
static1
Behavioral task
behavioral1
Sample
CIF_SPECIFICATION.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
CIF_SPECIFICATION.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
guloader
https://drive.google.com/uc?export=download&id=1O_rnyGLfnOgAUhQY47mykjisecpbIVkR
Targets
-
-
Target
CIF_SPECIFICATION.bat
-
Size
108KB
-
MD5
0c225f3d7436d7c996956470935dad78
-
SHA1
4411a9d5c7363ffa252f520b0e4953ffac4bcda6
-
SHA256
afccd20b616b002619cc6e6135729cf2b85f381524d76ecaa4ba764a8144236b
-
SHA512
46b4848e12b3806da2abc1743f3057912f92509c685cc564a7dd3c9654317f71827ae422ba4a0537a4a00b6a9cfd52a42381b9915988c21342e283ebe22c6fa2
Score10/10-
Executes dropped EXE
-
Checks QEMU agent state file
Checks state file used by QEMU agent, possibly to detect virtualization.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-