General
-
Target
296da6c6402442d49cfd43e9f9f643390ca2dc9f7430891d5fbbd49294d94d85
-
Size
22KB
-
Sample
220521-w8f2dabbe6
-
MD5
a00557da80ec852a2247f08e2e52a0bc
-
SHA1
5efced26a03dd507d200adcda2d3321c39af5db9
-
SHA256
296da6c6402442d49cfd43e9f9f643390ca2dc9f7430891d5fbbd49294d94d85
-
SHA512
b8cda06e2ca0522dd9448a9930512af112f935bfd0c5888155a83daadd26c7241e5b4b279129c30d03ed283aced1acd591e2a65bf7677bb1762cc96c9320217a
Malware Config
Extracted
guloader
https://drive.google.com/uc?export=download&id=1K-CSSsJ1vvDwqmIKyP6iBjekVRzjCLpq
Targets
-
-
Target
precept.scr
-
Size
84KB
-
MD5
36f2929edc1f6ad027a19baf60880ac3
-
SHA1
141d9b90cb1b3826d7b95c7162e94a20305a8d6d
-
SHA256
08361399bcfd6c87b301f7dd61be86d5eedf3013608d3cd98c818435bd43a724
-
SHA512
69d111f44ccc0a10b04f2ad522ba8ce3401255e789ae47c277cf7230007fe7dfbb19da082a55bcff68b2daf50dc690434fd8b15b950d796dbd567ba5971092ae
Score10/10-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Executes dropped EXE
-
Checks QEMU agent state file
Checks state file used by QEMU agent, possibly to detect virtualization.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-