General

  • Target

    977d67c533ee62147f1c941b680a11e900ed83574bf3e2c3a29e842f25c4779d

  • Size

    24KB

  • Sample

    220521-xy7l1sgabp

  • MD5

    664485aa4a48dd73f5e9cc4044baaaa2

  • SHA1

    5e819932f512fd0c1fa60f2e0ae617ecbc370394

  • SHA256

    977d67c533ee62147f1c941b680a11e900ed83574bf3e2c3a29e842f25c4779d

  • SHA512

    f29e42720d332cbee2ee6779429949dfa24546bfed27a253e426343f0f31c22c8601c206abcbabbe40c056d0455efda5730265ffcf3c75e5e5e6e599e49b4a47

Malware Config

Extracted

Family

guloader

C2

https://drive.google.com/uc?export=download&id=1SxDM6GGV4qlGFgGvRFhzDr_ALJPLe5wr

xor.base64

Targets

    • Target

      scan_004768.pdf.exe

    • Size

      84KB

    • MD5

      586552ad9112f084e84c2111cad12ec2

    • SHA1

      48a50e32aefe8cc29de241c33a91e4ea6c9f7d4b

    • SHA256

      bb5e9e2aea9052040d072c9c9b161d2d5a88c50b049e5a505b016e80910256a0

    • SHA512

      93a35be4aaecae9a6e118af85ef78d4041ca54b8b18d1bfb6b7acd0827d8f05b1d3f399e9227ed1e5ff53ddaa44588d451d987a98e34f68f957d33a1049c7894

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Executes dropped EXE

    • Checks QEMU agent state file

      Checks state file used by QEMU agent, possibly to detect virtualization.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

2
T1082

Command and Control

Web Service

1
T1102

Tasks