Overview

overview

10

Static

static

QUOTATION ...AR.exe

windows7_x64

10

QUOTATION ...AR.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d096adaf4e51ae9bc61a1e5b677faf764ae1dd34459c1c3ed88bdf98244766b1

  • Size

    19KB

  • Sample

    220521-xzgrzsgack

  • MD5

    216738d31fa526ec3de812fc2c336e9d

  • SHA1

    56d39e2e8c4855754d6d4ed85c185fa72d97330b

  • SHA256

    d096adaf4e51ae9bc61a1e5b677faf764ae1dd34459c1c3ed88bdf98244766b1

  • SHA512

    5e09eb6cc1ffa8e3533e82b1f28b5effb680348b8cce797e579ebada2b73b11db13f36be59ebeb8f47dcd2411fc8ec3692634f709104f8ed91fe79f44817e51f

Score
10/10
guloaderdownloader

Malware Config

Extracted

Family

guloader

C2

http://beheshtsoft.com/order/tuned_OvgPrj61.bin

xor.base64

Targets

    • Target

      QUOTATION REQUEST FROM EUROSTAR.exe

    • Size

      80KB

    • MD5

      788707adc4c4be37151838bdc4233623

    • SHA1

      56c441b5c7c080c9663ff695691609e5aaa538d6

    • SHA256

      472a4d21f664dbdb78739e9847cda51b6bb6d1a296307fff8a3991d5543056b3

    • SHA512

      b9560075528db153b82517b75bba86c108d70d34b9af7b4457f0368e0cd429c1d741eb50dee828656b86316f5e16d5cd9ee029ca267379e3bfef78925a215a2d

    Score
    10/10
    guloaderdownloader

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Checks QEMU agent state file

      Checks state file used by QEMU agent, possibly to detect virtualization.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Query Registry

1
T1012

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks