guloader | 6c08bec143e6f1474f75b50131897374c9db23c51c15c09457f607136ba02982 | Triage

Sharing

General

Target

RICHIESTA DI OFFERTA (Università di Parma) 9-02-23·pdf.zip
Size

550KB
Sample

230209-nq6v3sae4s
MD5

1a6f87a988d2bd49e33f0c53247aa8a0
SHA1

a6ca988a949bf4950ddad7e7ed5406202d690377
SHA256

6c08bec143e6f1474f75b50131897374c9db23c51c15c09457f607136ba02982
SHA512

bb3e37ec801a90afe56364ba3383a2831aa2b9aa553808355124719c8e060b5510be2fffd42dbf1f2c4b5c1b91caeb7f0c3e2f9db91be965ad33ae769a8c2ec8
SSDEEP

12288:MqABEcbVJ2sERQe0m+78v2oCCSyvrJ8MgS7LVqdEEVS6F:MTBPV8sgQey8v66uqh6EAfF

Score

10^/10

guloader warzonerat downloader infostealer persistence rat

Malware Config

Targets

- Target
  
  REQUEST FOR OFFER (University of Parma) 9-02-23·pdf.exe
- Size
  
  564KB
- MD5
  
  cae675beb80ed1fae88d407271ed397e
- SHA1
  
  ddf46550655ca7c075496821d90fb7f5706ee9d7
- SHA256
  
  5a70453a6b4f6a5dfd956507dcb364fa07bd6517f87ee23ed6d703f7ec1f6599
- SHA512
  
  cd616b5497a16f5dcd172844ea6652e0d37f4549ce37a9928c125e8776f5c4eddb0ea930a3169ec8fa551121b194edef3a2d8adbd6d3adfa84bd08f143e48835
- SSDEEP
  
  12288:GkyEGBEcfVj2sEjQS0Y+N8v2ocCSivrlicgs7LVpr6O:eHBbVKsIQSY8vcKGshx6O
Score

10^/10

guloader warzonerat downloader infostealer persistence rat
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Web Service

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

guloaderwarzoneratdownloaderinfostealerpersistencerat

behavioral2

guloaderdownloader