General

  • Target

    RFQNewrequestorderRFQ0023.exe

  • Size

    268KB

  • Sample

    230710-qvvdysbg4v

  • MD5

    620d0e482887417b089ab3e70a9031c2

  • SHA1

    36c98bd92640d00562cbe0b6859e720f01486193

  • SHA256

    7b3447523ec225e7323cfa258ad943e828da6c9605539d1db338c30c8bf1608c

  • SHA512

    35fb089f464f3060442597032173a9d2f074f293b36b574ca9bcc10b1b1d98a9bccf3f47dec177a6b6bbd9bc5265b4dfdca0961a4726ee5be905bcf498f3aa7b

  • SSDEEP

    6144:RZ/qRr62xlmSlMCo0oFCZR2vzkwL59ZIE2hr5JOPI:RBBUlmSlMwqcR2zkwL59MN0g

Malware Config

Targets

    • Target

      RFQNewrequestorderRFQ0023.exe

    • Size

      268KB

    • MD5

      620d0e482887417b089ab3e70a9031c2

    • SHA1

      36c98bd92640d00562cbe0b6859e720f01486193

    • SHA256

      7b3447523ec225e7323cfa258ad943e828da6c9605539d1db338c30c8bf1608c

    • SHA512

      35fb089f464f3060442597032173a9d2f074f293b36b574ca9bcc10b1b1d98a9bccf3f47dec177a6b6bbd9bc5265b4dfdca0961a4726ee5be905bcf498f3aa7b

    • SSDEEP

      6144:RZ/qRr62xlmSlMCo0oFCZR2vzkwL59ZIE2hr5JOPI:RBBUlmSlMwqcR2zkwL59MN0g

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks