Triage | Malware sandboxing report by Hatching Triage

Sharing

General

Target

BookingDetails77#6276.exe
Size

575KB
Sample

230130-j42q3ahf87
MD5

21bf08d7ebefc5793425948710c808c5
SHA1

7979095366362b5e07a1845e29d5989245dc5f6b
SHA256

11ea8640caec973b1823c96000bd50a2c604317888111273f7e93a37412fa2a9
SHA512

43f0a55c39ffb09e6b994673817fb57935c17a6e3a8c5b10f089403da58616ad92f1e8aa842e73ce6299c4fdec4eab2d3c702180f8c97ed11bed80480be5ca7e
SSDEEP

12288:b7EWNDJccwIWYh7jBw383vKmgKuICqwfmcNjRtBnMAr82:MUlyYtjDKmgmChOsNfC2

Score

10^/10

guloader discovery downloader

Malware Config

Targets

- Target
  
  BookingDetails77#6276.exe
- Size
  
  575KB
- MD5
  
  21bf08d7ebefc5793425948710c808c5
- SHA1
  
  7979095366362b5e07a1845e29d5989245dc5f6b
- SHA256
  
  11ea8640caec973b1823c96000bd50a2c604317888111273f7e93a37412fa2a9
- SHA512
  
  43f0a55c39ffb09e6b994673817fb57935c17a6e3a8c5b10f089403da58616ad92f1e8aa842e73ce6299c4fdec4eab2d3c702180f8c97ed11bed80480be5ca7e
- SSDEEP
  
  12288:b7EWNDJccwIWYh7jBw383vKmgKuICqwfmcNjRtBnMAr82:MUlyYtjDKmgmChOsNfC2
Score

10^/10

guloader discovery downloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Web Service

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Tasks

static1

behavioral1

guloaderdiscoverydownloader

behavioral2

guloaderdiscoverydownloader