guloader | e5cb1d4b2c909193f6c268562ca98dbed658e721f4f0f567cd0180377bb98dd0

Analysis

max time kernel
125s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
01-07-2022 14:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Le colis est arrivé.exe
Size

88KB
MD5

2005563dabb4ed76429027f8c4399e87
SHA1

b15a4eb375b4a7fa035bcdd807a39ed031247e9c
SHA256

a2854003ec6cd974aacccacca9e7d12208e1e70dc2c3d722c238bafb3aa3ee26
SHA512

568aa529ff3085a3737128fb70fe158785c86cf7a9e390ed23b5e8a6c2aebce9e609e166601466e0d0e5df77a2038615b56a0aadcebcda8c74afeae898b8c478

Score

10^/10

guloader downloader guloader

Malware Config

Extracted

Family

guloader

https://drive.google.com/uc?export=download&id=1ysE1rXhtMd6Cfh7cvmeBe0yMHDujuPpk

xor.base64

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Guloader Payload 1 IoCs

guloader

Processes:

resource	yara_rule
behavioral2/memory/4936-132-0x0000000000720000-0x000000000072A000-memory.dmp	family_guloader

Checks QEMU agent state file 2 TTPs 1 IoCs
Checks state file used by QEMU agent, possibly to detect virtualization.

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Le colis est arrivé.exe

description ioc process

File opened (read-only) C:\ProgramData\qemu-ga\qga.state Le colis est arrivé.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Le colis est arrivé.exe

pid process

4936 Le colis est arrivé.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Le colis est arrivé.exe

pid process

4936 Le colis est arrivé.exe

description	ioc	process
File opened (read-only)	C:\ProgramData\qemu-ga\qga.state	Le colis est arrivé.exe

pid	process
4936	Le colis est arrivé.exe

pid	process
4936	Le colis est arrivé.exe

C:\Users\Admin\AppData\Local\Temp\Le colis est arrivé.exe
"C:\Users\Admin\AppData\Local\Temp\Le colis est arrivé.exe"
1⤵
- Checks QEMU agent state file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4936

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4936-132-0x0000000000720000-0x000000000072A000-memory.dmp

Filesize
40KB

Download
memory/4936-133-0x00007FFE3DC50000-0x00007FFE3DE45000-memory.dmp

Filesize
2.0MB

Download
memory/4936-134-0x00000000773C0000-0x0000000077563000-memory.dmp

Filesize
1.6MB

Download