Overview

overview

10

Static

static

Pending Invoice.exe

windows7_x64

10

Pending Invoice.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    12a04e48890ae729dac355bdf32b0eb15248d25ccc3707a2c9a39e90b352cd41

  • Size

    81KB

  • Sample

    220707-ylgqhabfb9

  • MD5

    77f478beead29c5b5ce999f188655325

  • SHA1

    1d80b5c05e135a5489804b9d6303b78361f93510

  • SHA256

    12a04e48890ae729dac355bdf32b0eb15248d25ccc3707a2c9a39e90b352cd41

  • SHA512

    e5cd67eb6c7cdc1fbf9db2d86624a411fda81eef23c5cbfc52f8e94f1bbf8f3d157a12f1375c14663bf385a66299149ff3dc676f5e71bc582060be79322ec4d3

Score
10/10
guloaderdownloaderguloader

Malware Config

Extracted

Family

guloader

C2

https://drive.google.com/uc?export=download&id=1uIC_VY6SuPUt6vF_2WvqGhzus4onPU4o

xor.base64

Targets

    • Target

      Pending Invoice.exe

    • Size

      80KB

    • MD5

      698482b9819bcf8973fba7e0deaf862e

    • SHA1

      023a888790843bd788483da56b0422981dd4e826

    • SHA256

      1c7021977bfa2a35b79e059a0937ced628d50b79b8940e70e0505f13b381a4bf

    • SHA512

      10cd41330d30903cae38b21cf46e7ae4aea5bc694effe28df78799912f11009b08c48bed9855a016d256cc0080a99c8bdc03f95afa25c2d1872914f4f7675d7d

    Score
    10/10
    guloaderdownloaderguloader

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Guloader payload

      guloader

    • Checks QEMU agent state file

      Checks state file used by QEMU agent, possibly to detect virtualization.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Query Registry

1
T1012

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks