General
-
Target
977d67c533ee62147f1c941b680a11e900ed83574bf3e2c3a29e842f25c4779d
-
Size
24KB
-
Sample
220521-xy7l1sgabp
-
MD5
664485aa4a48dd73f5e9cc4044baaaa2
-
SHA1
5e819932f512fd0c1fa60f2e0ae617ecbc370394
-
SHA256
977d67c533ee62147f1c941b680a11e900ed83574bf3e2c3a29e842f25c4779d
-
SHA512
f29e42720d332cbee2ee6779429949dfa24546bfed27a253e426343f0f31c22c8601c206abcbabbe40c056d0455efda5730265ffcf3c75e5e5e6e599e49b4a47
Static task
static1
Behavioral task
behavioral1
Sample
scan_004768.pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
scan_004768.pdf.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
guloader
https://drive.google.com/uc?export=download&id=1SxDM6GGV4qlGFgGvRFhzDr_ALJPLe5wr
Targets
-
-
Target
scan_004768.pdf.exe
-
Size
84KB
-
MD5
586552ad9112f084e84c2111cad12ec2
-
SHA1
48a50e32aefe8cc29de241c33a91e4ea6c9f7d4b
-
SHA256
bb5e9e2aea9052040d072c9c9b161d2d5a88c50b049e5a505b016e80910256a0
-
SHA512
93a35be4aaecae9a6e118af85ef78d4041ca54b8b18d1bfb6b7acd0827d8f05b1d3f399e9227ed1e5ff53ddaa44588d451d987a98e34f68f957d33a1049c7894
Score10/10-
Executes dropped EXE
-
Checks QEMU agent state file
Checks state file used by QEMU agent, possibly to detect virtualization.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-