Overview

overview

10

Static

static

1

ap_remittance.exe

windows10-1703-x64

10

ap_remittance.exe

windows7-x64

10

Resubmissions

24-01-2023 07:56

230124-jsn1tsbf5s 10

24-01-2023 07:52

230124-jqxvysbf4y 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ap_remittance.exe

  • Size

    390KB

  • Sample

    230124-jqxvysbf4y

  • MD5

    2469f8893f0b33e769b1a8cdb84baa57

  • SHA1

    d64d31c1312ce383bcfe24714309a1bd0fa63067

  • SHA256

    48b07fec2d947bc75df7b3f4af67f51ceeb1a5956097442d9bafc7ee027237e8

  • SHA512

    af1fdd170170f1b59571d1a4a5b2d8cc66bb002c76eaa92ea540591a18a0225d47a6015cf94976edb544de96625c0eebd54f39ddb401d9fc024026f2773e40ad

  • SSDEEP

    6144:wY2Celn4yXJReJ9hoFVZv/qeYDPM17by0A3J2V5eIU2k1XziFLq+E:3yXJM5oFVZv/rKMbyDgVxsF

Score
10/10
guloaderdiscoverydownloader

Malware Config

Targets

    • Target

      ap_remittance.exe

    • Size

      390KB

    • MD5

      2469f8893f0b33e769b1a8cdb84baa57

    • SHA1

      d64d31c1312ce383bcfe24714309a1bd0fa63067

    • SHA256

      48b07fec2d947bc75df7b3f4af67f51ceeb1a5956097442d9bafc7ee027237e8

    • SHA512

      af1fdd170170f1b59571d1a4a5b2d8cc66bb002c76eaa92ea540591a18a0225d47a6015cf94976edb544de96625c0eebd54f39ddb401d9fc024026f2773e40ad

    • SSDEEP

      6144:wY2Celn4yXJReJ9hoFVZv/qeYDPM17by0A3J2V5eIU2k1XziFLq+E:3yXJM5oFVZv/rKMbyDgVxsF

    Score
    10/10
    guloaderdiscoverydownloader

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks