Overview

overview

10

Static

static

1

S_K _Beaum...df.lnk

windows7-x64

3

S_K _Beaum...df.lnk

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9131600701.zip

  • Size

    876B

  • Sample

    230215-m3zf4abd99

  • MD5

    68313e90d5687f78ff533e824f839a54

  • SHA1

    1873d54abcf2eedfc0bfedc777f0e01e9d755db7

  • SHA256

    766044286d00b36afb454e85f529356a93cb9b6d389bbe255c10e1cd745886d4

  • SHA512

    336015c1a9eaf8f6674edecf2f088ca6a8db469a31ac2c615e8a03d8563ace59c61db25c980f7f49ef6ca6a952886b5b3e403b41a8723c9d552e535b2fee1f7a

Score
10/10
guloaderdownloaderpersistence

Malware Config

Targets

    • Target

      S_K _Beaumont_TaxDocuments.pdf.lnk

    • Size

      2KB

    • MD5

      c92d58caccaa377d4fbec66e06d3433c

    • SHA1

      42d7500783a111aa5150a9e0a6809eaace482cfc

    • SHA256

      ab1eb7454d2cc5549c4c09422cdeb2fbf9254a977a42b03ca887a42d4e66f84e

    • SHA512

      f71dc8dc6074ce92afa7a0b16f10fd0e7c827caf59977e0158e5e470f74a6e6e10ed2efe9f69a3b2678cd23f9726cf2ba496a0d1aac857a1cf1eb42404adbade

    Score
    10/10
    guloaderdownloaderpersistence

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Blocklisted process makes network request

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks