Overview

overview

10

Static

static

答复 CON...ER.vbs

windows7-x64

8

答复 CON...ER.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    A445F0C017C1BA67B329B2E26C5826B6BD3AD019C4D17B644D174F3625F453B0

  • Size

    450KB

  • Sample

    221123-r1lvfach9w

  • MD5

    37716c9e0331afa9093285e7f0a7b081

  • SHA1

    97a68f35b3b7b0cfb508cdc6fe7f84fd2564cd26

  • SHA256

    a445f0c017c1ba67b329b2e26c5826b6bd3ad019c4d17b644d174f3625f453b0

  • SHA512

    205735a2e3c1034a1038b8e8c2d1e0a870743b87e74f74f1682eba27bc1b14bb71a0b6caed705cf41991f8f389984ed4de638472a1f2886c7ed5c83740e75b84

  • SSDEEP

    12288:hSJlCMez4G46OE1xR6Ws+k1cB06Dra6wMCcsfoYeBEFK:YLCMW4/U0D196DOiCTzK

Score
10/10
guloaderdownloaderpersistence

Malware Config

Targets

    • Target

      答复 CONFIRMATION OF ORDER.vbs

    • Size

      654KB

    • MD5

      c27f7a38b0661de03b69afe76b9697f4

    • SHA1

      36fea8822c1b4d33b405c2ab16423ea6c2a02736

    • SHA256

      d27c6afe237a969751b1e44c98fcd78f93623816162ac349703e9f3f39e542d1

    • SHA512

      56dcc44ac0b0dfcc076cec07eef693928903992cc80fdb0942068dca59f69a0cc6baa3370f3fa9b2865e47f3540de15bd284ae396e42b25421ca57eda5b1f8b2

    • SSDEEP

      12288:1ctF/y6uBCMyplUUb4eK9hjS1cpeMpWKLHFPwC9kxXKxMj3:1v6i0lPLYhW9aLHFPoZKxMj3

    Score
    10/10
    guloaderdownloaderpersistence

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Blocklisted process makes network request

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks