General
-
Target
5e0272d0db0605d5dc68dec1eb378a0144fd0a20ab13ec41f4f42f29a72767e6
-
Size
22KB
-
Sample
220521-w8e43sedfp
-
MD5
979ab7f99b0fe30aa5629fdff6aeea63
-
SHA1
1f83db4cb41c1650c2c535786e58760e8dc98459
-
SHA256
5e0272d0db0605d5dc68dec1eb378a0144fd0a20ab13ec41f4f42f29a72767e6
-
SHA512
de1ac3e6bb30ecb7b4db9e0c6710d5fa488dfac9353f55844f4fe4366f870fbdd8f05fd0369d430df14c9cfdffdd3e3c9386912e651086366837ec55ee008828
Malware Config
Extracted
guloader
https://drive.google.com/uc?export=download&id=1nJFzy3bHUwUvYTEcawaRZ_EVi8Bn13Js
Targets
-
-
Target
sgemaskine.bat
-
Size
84KB
-
MD5
050e6cb50c426c5f50cf018b296d3df5
-
SHA1
1dcb50669df7d7856b6c8248c81a057640c26d84
-
SHA256
9e3ccccbdae5037867b30ec99ab71a8422ae9b0be42bf6b7ee0dddf07e4f03c0
-
SHA512
22fbaa4109414be48f527da47fd4ccded45fb6cfe7783af1dabd8da60fc05db907b122bbbfc0fb0d9110f4e621487b22bc8e50ee8d954b858b00888f1670b185
Score10/10-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Executes dropped EXE
-
Checks QEMU agent state file
Checks state file used by QEMU agent, possibly to detect virtualization.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-