guloader | a43a0cacbfaf5aa649acc0d29ce25855ea92c50af2729f30c5f2ecfad376ef4d | Triage

Submit
Reports

Overview

overview

Static

static

1

Solicitud ...df.exe

windows7-x64

Solicitud ...df.exe

windows10-2004-x64

Sharing

General

Target

Solicitud de Oferta 07-02-23·pdf.exe
Size

560KB
Sample

230207-pl66qabf53
MD5

a28a8c381f7460d2a35f10186ca34dd6
SHA1

0ea66a29cca600bdd91f3505884d74dd7df09d9f
SHA256

a43a0cacbfaf5aa649acc0d29ce25855ea92c50af2729f30c5f2ecfad376ef4d
SHA512

6c594c33ecf2069a53e7c83ab817a3ab8250ea8796889a854d2d11a26f95f20132721e4e5df963c587ef4f4b154388b35b7b732e24375ee9f79927a3938b37e2
SSDEEP

12288:0ky6tuXby71v1f+fWQ8+N8v2ocCSivrlicg3ULa+kdkP/:M6tuLM1v1f+Tt8vcKG3UGdkP/

Score

10^/10

guloader warzonerat downloader infostealer persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

Solicitud de Oferta 07-02-23·pdf.exe

Resource

win7-20220812-en

guloader downloader

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

Solicitud de Oferta 07-02-23·pdf.exe

Resource

win10v2004-20220812-en

guloader warzonerat downloader infostealer persistence rat

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Targets

- Target
  
  Solicitud de Oferta 07-02-23·pdf.exe
- Size
  
  560KB
- MD5
  
  a28a8c381f7460d2a35f10186ca34dd6
- SHA1
  
  0ea66a29cca600bdd91f3505884d74dd7df09d9f
- SHA256
  
  a43a0cacbfaf5aa649acc0d29ce25855ea92c50af2729f30c5f2ecfad376ef4d
- SHA512
  
  6c594c33ecf2069a53e7c83ab817a3ab8250ea8796889a854d2d11a26f95f20132721e4e5df963c587ef4f4b154388b35b7b732e24375ee9f79927a3938b37e2
- SSDEEP
  
  12288:0ky6tuXby71v1f+fWQ8+N8v2ocCSivrlicg3ULa+kdkP/:M6tuLM1v1f+Tt8vcKG3UGdkP/
Score

10^/10

guloader downloader warzonerat infostealer persistence rat
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

guloaderdownloader

behavioral2

guloaderwarzoneratdownloaderinfostealerpersistencerat

© 2018-2024

Terms | Privacy