Overview

overview

10

Static

static

Attached_C...oc.exe

windows7_x64

10

Attached_C...oc.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    de1cf950768ed85e8db91067ad1fcb75f5b3ea065bac9f8d9d02a13ef6c84015

  • Size

    23KB

  • Sample

    220521-w79masbbd7

  • MD5

    3b1324268d47a3bc16a639b9a66b9f31

  • SHA1

    91d8d116ac1ef93367f72472a03394f513b47e35

  • SHA256

    de1cf950768ed85e8db91067ad1fcb75f5b3ea065bac9f8d9d02a13ef6c84015

  • SHA512

    4b5ae918ddf9790db9e2f1d368243776c31c5268dbc505d65e8f6aacf90532c11b1b866af16c366fe2310bbea9301dd5e9c8a2d2b1e6c712ae80f581497beff7

Score
10/10
guloaderdownloaderpersistence

Malware Config

Extracted

Family

guloader

C2

https://drive.google.com/uc?export=download&id=1ol4wY5Dn2LEtHM6S_jwboyrfoOEmdpLR

xor.base64

Targets

    • Target

      Attached_ContainerDoc.bat

    • Size

      100KB

    • MD5

      93015d49e177c32dea9aba2fb14168f1

    • SHA1

      86bb1b7127f97910163c9e4226b81c63edb4f657

    • SHA256

      df8a22b84b09a0871f6823edb9a826bab424c3e518b18a51e49e7ce1c311ca9a

    • SHA512

      c1ef8d3df6d74160c684ec1779bcc35fc89e8c2abcd2c3b255d8afef52df50ca04f71357abc5ce316984af05b469ca925896258b4a33c7748ee230fc500f1d67

    Score
    10/10
    guloaderdownloaderpersistence

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Executes dropped EXE

    • Checks QEMU agent state file

      Checks state file used by QEMU agent, possibly to detect virtualization.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks