guloader | a8e4b2993ebac406c7945e801e7da09e94393b8ee4a52114e4b40255a8c2a737 | Triage

Sharing

General

Target

a8e4b2993ebac406c7945e801e7da09e94393b8ee4a52114e4b40255a8c2a737
Size

65KB
Sample

221108-t4rwzagac4
MD5

dc2c21650524c890e37d17ff2c536d75
SHA1

473a4048017fb3b7f5a3260d8fc06688230309ef
SHA256

a8e4b2993ebac406c7945e801e7da09e94393b8ee4a52114e4b40255a8c2a737
SHA512

f8e84839b220317f7fdf2cd677afcf65729cafe196761d9462c502c13c7cc16615d7406de0280f536f0e07821fa6115d9369b08aa13d95b376f1d66420eb027c
SSDEEP

1536:Rxw3jH3cXrI0K/7qNgpwSQSeX585NMfRx11:Y3jH3cbI0cqSpaNwKJ

Score

10^/10

guloader downloader guloader

Malware Config

Extracted

Family

guloader

C2

http://pashupatiexports.com/chimaoriginrawfile_hbsqQD194.bin

xor.base64

Targets

- Target
  
  RE Proforma Invoice.exe
- Size
  
  188KB
- MD5
  
  928ac4fab89fcbe9d9b37a65b549a9d2
- SHA1
  
  daf561981c38dba10440e48660bc55c3d57690dc
- SHA256
  
  aee6f41ba3393811f2980cec1714785039dd6cfcc629b81479fc376f635868c7
- SHA512
  
  2f3b95f61253e558b73b7dfec9490eaf8f930ee442b62cdfe88a611657673b90ea9698ab40299ef44b1bab0efe2209712f3471b80726196475e2e538c426dc51
- SSDEEP
  
  1536:uPjOV8I1obdncfAyshYt6ZYLgWdzFPO0gMrJteE/1+3uUnpgyQFLRMCvN4OekMfE:WNg4jb4kqKMZjosBhjDeu90Frof0yB
Score

10^/10

guloader downloader guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Guloader payload
  guloader
- Checks QEMU agent state file
  Checks state file used by QEMU agent, possibly to detect virtualization.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

guloaderdownloaderguloader

behavioral2

guloaderdownloaderguloader