General
-
Target
d260d6cf07d74ca3e53b6bd294387894d6a4a0b7c76132359007cba026cef144
-
Size
17KB
-
Sample
220521-w8czqabbe2
-
MD5
bd4d42e4b92ec5bad89ce9df7a46b860
-
SHA1
d23fab700d9b6a71c5b920aa290b0c21aa2c3883
-
SHA256
d260d6cf07d74ca3e53b6bd294387894d6a4a0b7c76132359007cba026cef144
-
SHA512
169bd3260b7f6181b890e8be5a40054ee36a55728551c5abe1f07d7b1fa0ec8916fbe43b03d324586b8a3a7f1e3a59df1dc4005b543dd86a89ae8754a9be0a2a
Static task
static1
Behavioral task
behavioral1
Sample
SHIPPING DOCUMENT.scr
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
SHIPPING DOCUMENT.scr
Resource
win10v2004-20220414-en
Malware Config
Extracted
guloader
https://drive.google.com/uc?export=download&id=1_oth8C6SFfuRuHZpRwX3CHrHvH7H3Cwv
Targets
-
-
Target
SHIPPING DOCUMENT.scr
-
Size
84KB
-
MD5
413d2dbeb92babc91dee4688dff52642
-
SHA1
0efb2c7c544d774709504c94bb4cdc469ff8e367
-
SHA256
08954829f50d1aade435fefd5e50e2aee86283ab378a54243892152eded51db8
-
SHA512
9a443289dc15e13993e41412fd8461bd207912a92cc71d79c88be59b8eea572525bb7d9469d9c739b967513b69467d71ef4a68ee51aa4e41f3e8147856aa4f59
Score10/10-
Executes dropped EXE
-
Checks QEMU agent state file
Checks state file used by QEMU agent, possibly to detect virtualization.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-