General
-
Target
RFQ No 41 26_06_2023.pdf.lnk
-
Size
2KB
-
Sample
230627-ax3v4sdd31
-
MD5
ba180227c26bb151e9a9dddfb0a572af
-
SHA1
2e52688c2280c246bf931fd130184f86d411bc5d
-
SHA256
748c0ef7a63980d4e8064b14fb95ba51947bfc7d9ccf39c6ef614026a89c39e5
-
SHA512
55da00767297a830f6209ee685d0956ae1e2a42562efcb64a46d028bfadd0bc615538e523279cf7b45d453b19c461808673d530bb45924b1807422792da4bbc7
Malware Config
Targets
-
-
Target
RFQ No 41 26_06_2023.pdf.lnk
-
Size
2KB
-
MD5
ba180227c26bb151e9a9dddfb0a572af
-
SHA1
2e52688c2280c246bf931fd130184f86d411bc5d
-
SHA256
748c0ef7a63980d4e8064b14fb95ba51947bfc7d9ccf39c6ef614026a89c39e5
-
SHA512
55da00767297a830f6209ee685d0956ae1e2a42562efcb64a46d028bfadd0bc615538e523279cf7b45d453b19c461808673d530bb45924b1807422792da4bbc7
Score10/10-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Blocklisted process makes network request
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-