General
-
Target
e821b5d7800df3d0049b41d6c33997b3d710d3b37801704bd2823cc621a678b8
-
Size
58KB
-
Sample
220521-w8b3esedfl
-
MD5
72e478f8aec32822709260549d0ec7a5
-
SHA1
3f62e2a22125bbb27ca9f75915162639d04cfb81
-
SHA256
e821b5d7800df3d0049b41d6c33997b3d710d3b37801704bd2823cc621a678b8
-
SHA512
72f3c2281e30f8ded11009d941e66e8ef79c588a1186fe551f1c8811c6f67626f5cd3f0707254f5f42f094c6a3b8b173871e93f4ba206b21df4ec43660e7155c
Static task
static1
Behavioral task
behavioral1
Sample
PI-BL_SHIPPING DOCUMENT.scr
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PI-BL_SHIPPING DOCUMENT.scr
Resource
win10v2004-20220414-en
Malware Config
Extracted
guloader
https://drive.google.com/uc?export=download&id=1nWJYNb6dnLoBCQ2sKeUXLNIMEr6vOra4
Targets
-
-
Target
PI-BL_SHIPPING DOCUMENT.scr
-
Size
180KB
-
MD5
3768fe51238c141f42cab373c8135963
-
SHA1
fb34281e91b8ec537a438e66f927009da72b07a3
-
SHA256
72df3f9a494ac0d849ea6ba3917dfc37d7275f170f01348d3fd2ad77fb3d601d
-
SHA512
fb7d29cfc865e2b07c1a21a62b6bdad89c32472ca434be1489333b2c8425765a1edab2a067b7c259e5536375ce9a72cff0b06b242bf2a4dbc9cb70521eceb06a
Score10/10-
Executes dropped EXE
-
Checks QEMU agent state file
Checks state file used by QEMU agent, possibly to detect virtualization.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-