General

  • Target

    6496d2ad7f1d051893d931981e0c23f1d4b5ad0e25bf437531285579b017f616

  • Size

    448KB

  • Sample

    230129-tx6rjsdf59

  • MD5

    c976d86401ff3f21e368ba31d3db2a87

  • SHA1

    52c84b3a15e4599eed6d050251b7f7d1eaf638c0

  • SHA256

    6496d2ad7f1d051893d931981e0c23f1d4b5ad0e25bf437531285579b017f616

  • SHA512

    c53130165d6604685524bb8e1096ea164ecbf5f862162e425a57407c9efa3f1f72418aef06e90a6d7f94ce5fec272088a59e73b28563f7aa1be5f91f10a89f7e

  • SSDEEP

    1536:1bLxrsEdHVRHi4e2NVgt4J2RHzDkJUJ/su+3wAvtikWmBaHHGc:9LXri323gAQHzBw3wYtikWmBaHHGc

Malware Config

Extracted

Family

guloader

C2

https://drive.google.com/uc?export=download&id=1B-xB0IiGnXbaMb5bFkqePufSw54eWuCO

xor.base64

Targets

    • Target

      6496d2ad7f1d051893d931981e0c23f1d4b5ad0e25bf437531285579b017f616

    • Size

      448KB

    • MD5

      c976d86401ff3f21e368ba31d3db2a87

    • SHA1

      52c84b3a15e4599eed6d050251b7f7d1eaf638c0

    • SHA256

      6496d2ad7f1d051893d931981e0c23f1d4b5ad0e25bf437531285579b017f616

    • SHA512

      c53130165d6604685524bb8e1096ea164ecbf5f862162e425a57407c9efa3f1f72418aef06e90a6d7f94ce5fec272088a59e73b28563f7aa1be5f91f10a89f7e

    • SSDEEP

      1536:1bLxrsEdHVRHi4e2NVgt4J2RHzDkJUJ/su+3wAvtikWmBaHHGc:9LXri323gAQHzBw3wYtikWmBaHHGc

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Command and Control

Web Service

1
T1102

Tasks