Extracted

• • Target

    e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469

  • Size

    466KB

  • MD5

    210b741e2da121370c2521e56fd1a1c6

  • SHA1

    679b47ca2ed1d3b1131239914149ff0a68670ddb

  • SHA256

    e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469

  • SHA512

    68754122d90efb108e0012dfa611bbed333032527254d9dc515ecee11974aef29a982807b177fde9841d6ff4d878a7e7860c450bf9c8a7fd804026960b6220d7

  • SSDEEP

    6144:xIw3AEsnWaFcWjU0DBS9grh/B9EFkYedPeDA17SzwbkBlQCS:uEsnWaFv4grh598ZAecg8bk7QV

  Score

  10^/10

  guloaderwshratdownloaderpersistencetrojan

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat

  • WSHRAT payload

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Checks QEMU agent file

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1