Overview

overview

10

Static

static

1

RFQ No 41 ...df.lnk

windows7-x64

3

RFQ No 41 ...df.lnk

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RFQ No 41 26_06_2023.pdf.lnk

  • Size

    2KB

  • Sample

    230627-ax3v4sdd31

  • MD5

    ba180227c26bb151e9a9dddfb0a572af

  • SHA1

    2e52688c2280c246bf931fd130184f86d411bc5d

  • SHA256

    748c0ef7a63980d4e8064b14fb95ba51947bfc7d9ccf39c6ef614026a89c39e5

  • SHA512

    55da00767297a830f6209ee685d0956ae1e2a42562efcb64a46d028bfadd0bc615538e523279cf7b45d453b19c461808673d530bb45924b1807422792da4bbc7

Score
10/10
guloaderdownloaderpersistence

Malware Config

Targets

    • Target

      RFQ No 41 26_06_2023.pdf.lnk

    • Size

      2KB

    • MD5

      ba180227c26bb151e9a9dddfb0a572af

    • SHA1

      2e52688c2280c246bf931fd130184f86d411bc5d

    • SHA256

      748c0ef7a63980d4e8064b14fb95ba51947bfc7d9ccf39c6ef614026a89c39e5

    • SHA512

      55da00767297a830f6209ee685d0956ae1e2a42562efcb64a46d028bfadd0bc615538e523279cf7b45d453b19c461808673d530bb45924b1807422792da4bbc7

    Score
    10/10
    guloaderdownloaderpersistence

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Blocklisted process makes network request

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks