Overview

overview

10

Static

static

3766827be1...96.exe

windows7-x64

10

3766827be1...96.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3766827be1e6b0063c09414c7e6d13912964c26fc346dbc673d6ed6a60f34796

  • Size

    292KB

  • Sample

    230129-wha3fagb35

  • MD5

    3cc13beb8db0f13a819c80363ca6e47d

  • SHA1

    b9245332df9c69f4e5ab2ebcc66f074b3fdf7691

  • SHA256

    3766827be1e6b0063c09414c7e6d13912964c26fc346dbc673d6ed6a60f34796

  • SHA512

    4c880072e67f23d6945a485026374d8f28ea418a53f88c66483a576fc004690a32e4795eec0a88b828b49e451ab4e0d0a609dbc9a3b653e7f008a218083e4965

  • SSDEEP

    3072:HLCH/jqOlzvzs8EuHlVGwIfNpm5IKj265dEWAFwlSncsJHZ1MCKWNfr:H+HLLZvzs3uHl9IfNpmhb5mFCQcGN

Score
10/10
guloaderdownloaderpersistence

Malware Config

Extracted

Family

guloader

C2

https://drive.google.com/uc?export=download&id=1p1Ic0Tf7mgLLNbaarmQFAC-TnM5CWJ0g

xor.base64

Targets

    • Target

      3766827be1e6b0063c09414c7e6d13912964c26fc346dbc673d6ed6a60f34796

    • Size

      292KB

    • MD5

      3cc13beb8db0f13a819c80363ca6e47d

    • SHA1

      b9245332df9c69f4e5ab2ebcc66f074b3fdf7691

    • SHA256

      3766827be1e6b0063c09414c7e6d13912964c26fc346dbc673d6ed6a60f34796

    • SHA512

      4c880072e67f23d6945a485026374d8f28ea418a53f88c66483a576fc004690a32e4795eec0a88b828b49e451ab4e0d0a609dbc9a3b653e7f008a218083e4965

    • SSDEEP

      3072:HLCH/jqOlzvzs8EuHlVGwIfNpm5IKj265dEWAFwlSncsJHZ1MCKWNfr:H+HLLZvzs3uHl9IfNpmhb5mFCQcGN

    Score
    10/10
    guloaderdownloaderpersistence

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks