guloader | e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469

Analysis

max time kernel
150s
max time network
153s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
18-07-2023 09:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469.exe
Size

466KB
MD5

210b741e2da121370c2521e56fd1a1c6
SHA1

679b47ca2ed1d3b1131239914149ff0a68670ddb
SHA256

e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469
SHA512

68754122d90efb108e0012dfa611bbed333032527254d9dc515ecee11974aef29a982807b177fde9841d6ff4d878a7e7860c450bf9c8a7fd804026960b6220d7
SSDEEP

6144:xIw3AEsnWaFcWjU0DBS9grh/B9EFkYedPeDA17SzwbkBlQCS:uEsnWaFv4grh598ZAecg8bk7QV

Score

10^/10

guloader wshrat downloader persistence trojan

Malware Config

Extracted

Family

wshrat

http://45.90.222.131:7121

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

WSHRAT payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000600000001b00a-160.dat	family_wshrat
behavioral1/files/0x000600000001b00c-196.dat	family_wshrat

Blocklisted process makes network request 13 IoCs

flow	pid	Process
12	4852	wscript.exe
15	4852	wscript.exe
17	4852	wscript.exe
19	4852	wscript.exe
23	4852	wscript.exe
24	4852	wscript.exe
26	4852	wscript.exe
30	4852	wscript.exe
31	4852	wscript.exe
32	4852	wscript.exe
33	4852	wscript.exe
37	4852	wscript.exe
38	4852	wscript.exe

Downloads MZ/PE file

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XcJBL.vbs	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XcJBL.vbs	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
616	WSH01.exe

Loads dropped DLL 2 IoCs

pid	Process
356	e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469.exe
356	e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\Software\Microsoft\Windows\CurrentVersion\Run\XcJBL = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\XcJBL.vbs\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XcJBL = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\XcJBL.vbs\""	wscript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
4364	e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469.exe
4364	e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
356	e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469.exe
4364	e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 356 set thread context of 4364	356	e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469.exe	70

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	12	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4364	e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469.exe
4364	e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
356	e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 356 wrote to memory of 4364	356	e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469.exe	70
PID 356 wrote to memory of 4364	356	e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469.exe	70
PID 356 wrote to memory of 4364	356	e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469.exe	70
PID 356 wrote to memory of 4364	356	e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469.exe	70
PID 4364 wrote to memory of 616	4364	e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469.exe	71
PID 4364 wrote to memory of 616	4364	e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469.exe	71
PID 4364 wrote to memory of 616	4364	e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469.exe	71
PID 616 wrote to memory of 4852	616	WSH01.exe	72
PID 616 wrote to memory of 4852	616	WSH01.exe	72
PID 616 wrote to memory of 4852	616	WSH01.exe	72

C:\Users\Admin\AppData\Local\Temp\e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469.exe
"C:\Users\Admin\AppData\Local\Temp\e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469.exe"
1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:356
- C:\Users\Admin\AppData\Local\Temp\e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469.exe
  "C:\Users\Admin\AppData\Local\Temp\e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469.exe"
  2⤵
  - Checks QEMU agent file
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4364
- - C:\Users\Admin\AppData\Local\Temp\WSH01.exe
    "C:\Users\Admin\AppData\Local\Temp\WSH01.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:616
  - - C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\XcJBL.vbs"
      4⤵
      Blocklisted process makes network request
      Drops startup file
      Adds Run key to start application
      PID:4852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TKY5VT23\json[1].json

Filesize
323B

MD5
0c17abb0ed055fecf0c48bb6e46eb4eb

SHA1
a692730c8ec7353c31b94a888f359edb54aaa4c8

SHA256
f41e99f954e33e7b0e39930ec8620bf29801efc44275c1ee6b5cfa5e1be202c0

SHA512
645a9f2f94461d8a187261b736949df398ece5cfbf1af8653d18d3487ec1269d9f565534c1e249c12f31b3b1a41a8512953b1e991b001fc1360059e3fd494ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WSH01.exe

Filesize
528KB

MD5
dcc686cb21dfa32e9de87a6d8e7456fb

SHA1
00d1b251532dcb72ac2053df95342402f5694478

SHA256
bfffba7e6f2b39c8c465c75738d3393bffa25873f0ce255183deada13c04fe29

SHA512
a39320b0c28581ac7fd37ccdd11ed00143ef421d397bde698a5cfd9955ff0ca2153a73bb69b001699db23c19cd9fd941007e9234a13ee510f67a9ccd602d24f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WSH01.exe

Filesize
528KB

MD5
dcc686cb21dfa32e9de87a6d8e7456fb

SHA1
00d1b251532dcb72ac2053df95342402f5694478

SHA256
bfffba7e6f2b39c8c465c75738d3393bffa25873f0ce255183deada13c04fe29

SHA512
a39320b0c28581ac7fd37ccdd11ed00143ef421d397bde698a5cfd9955ff0ca2153a73bb69b001699db23c19cd9fd941007e9234a13ee510f67a9ccd602d24f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq88AA.tmp\System.dll

Filesize
11KB

MD5
8b3830b9dbf87f84ddd3b26645fed3a0

SHA1
223bef1f19e644a610a0877d01eadc9e28299509

SHA256
f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37

SHA512
d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XcJBL.vbs

Filesize
180KB

MD5
c437bda2e3045d21e7300dd3bb844cbb

SHA1
89fda9b463529b2309b8e1bd859f0cdeb2a8203f

SHA256
418839201445990cb7a747fe696d8b8377dcbef9378989c639d2c5a23da3d7fa

SHA512
d3de6c2cc4093478c65fa2a889b92d9a2ea3c6cc85edb5bd3b861bde2114fec2892236a41331998ea2bf48dd4b367d84d77cc46022e6d9cf7d30e90d09edecb8

Download Submit
C:\Users\Admin\AppData\Roaming\XcJBL.vbs

Filesize
180KB

MD5
c437bda2e3045d21e7300dd3bb844cbb

SHA1
89fda9b463529b2309b8e1bd859f0cdeb2a8203f

SHA256
418839201445990cb7a747fe696d8b8377dcbef9378989c639d2c5a23da3d7fa

SHA512
d3de6c2cc4093478c65fa2a889b92d9a2ea3c6cc85edb5bd3b861bde2114fec2892236a41331998ea2bf48dd4b367d84d77cc46022e6d9cf7d30e90d09edecb8

Download Submit
\Users\Admin\AppData\Local\Temp\nsq88AA.tmp\System.dll

Filesize
11KB

MD5
8b3830b9dbf87f84ddd3b26645fed3a0

SHA1
223bef1f19e644a610a0877d01eadc9e28299509

SHA256
f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37

SHA512
d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03

Download Submit
\Users\Admin\AppData\Local\Temp\nsq88AA.tmp\System.dll

Filesize
11KB

MD5
8b3830b9dbf87f84ddd3b26645fed3a0

SHA1
223bef1f19e644a610a0877d01eadc9e28299509

SHA256
f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37

SHA512
d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03

Download Submit
memory/356-130-0x00000000030B0000-0x0000000004AA7000-memory.dmp

Filesize
26.0MB

Download
memory/356-133-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/356-132-0x0000000077381000-0x0000000077494000-memory.dmp

Filesize
1.1MB

Download
memory/356-131-0x00007FFF14E30000-0x00007FFF1500B000-memory.dmp

Filesize
1.9MB

Download
memory/356-129-0x00000000030B0000-0x0000000004AA7000-memory.dmp

Filesize
26.0MB

Download
memory/616-159-0x00000000703D0000-0x0000000070ABE000-memory.dmp

Filesize
6.9MB

Download
memory/616-154-0x00000000703D0000-0x0000000070ABE000-memory.dmp

Filesize
6.9MB

Download
memory/616-152-0x00000000001A0000-0x000000000022A000-memory.dmp

Filesize
552KB

Download
memory/4364-161-0x0000000000400000-0x0000000001783000-memory.dmp

Filesize
19.5MB

Download
memory/4364-167-0x0000000000400000-0x0000000001783000-memory.dmp

Filesize
19.5MB

Download
memory/4364-140-0x0000000077406000-0x0000000077407000-memory.dmp

Filesize
4KB

Download
memory/4364-155-0x0000000001790000-0x0000000003187000-memory.dmp

Filesize
26.0MB

Download
memory/4364-158-0x0000000000400000-0x0000000001783000-memory.dmp

Filesize
19.5MB

Download
memory/4364-139-0x0000000001790000-0x0000000003187000-memory.dmp

Filesize
26.0MB

Download
memory/4364-138-0x0000000000400000-0x0000000001783000-memory.dmp

Filesize
19.5MB

Download
memory/4364-137-0x00007FFF14E30000-0x00007FFF1500B000-memory.dmp

Filesize
1.9MB

Download
memory/4364-163-0x0000000000400000-0x0000000001783000-memory.dmp

Filesize
19.5MB

Download
memory/4364-162-0x0000000001790000-0x0000000003187000-memory.dmp

Filesize
26.0MB

Download
memory/4364-164-0x0000000000400000-0x0000000001783000-memory.dmp

Filesize
19.5MB

Download
memory/4364-165-0x0000000000400000-0x0000000001783000-memory.dmp

Filesize
19.5MB

Download
memory/4364-166-0x0000000000400000-0x0000000001783000-memory.dmp

Filesize
19.5MB

Download
memory/4364-151-0x0000000000400000-0x0000000001783000-memory.dmp

Filesize
19.5MB

Download
memory/4364-169-0x0000000000400000-0x0000000001783000-memory.dmp

Filesize
19.5MB

Download
memory/4364-170-0x0000000000400000-0x0000000001783000-memory.dmp

Filesize
19.5MB

Download
memory/4364-171-0x0000000000400000-0x0000000001783000-memory.dmp

Filesize
19.5MB

Download
memory/4364-172-0x0000000000400000-0x0000000001783000-memory.dmp

Filesize
19.5MB

Download
memory/4364-173-0x0000000000400000-0x0000000001783000-memory.dmp

Filesize
19.5MB

Download
memory/4364-174-0x0000000000400000-0x0000000001783000-memory.dmp

Filesize
19.5MB

Download
memory/4364-175-0x0000000077381000-0x0000000077494000-memory.dmp

Filesize
1.1MB

Download
memory/4364-176-0x0000000000400000-0x0000000001783000-memory.dmp

Filesize
19.5MB

Download
memory/4364-177-0x00000000339B0000-0x0000000033CD0000-memory.dmp

Filesize
3.1MB

Download
memory/4364-187-0x0000000000400000-0x0000000001783000-memory.dmp

Filesize
19.5MB

Download
memory/4364-189-0x0000000000400000-0x0000000001783000-memory.dmp

Filesize
19.5MB

Download
memory/4364-191-0x0000000000400000-0x0000000001783000-memory.dmp

Filesize
19.5MB

Download
memory/4364-136-0x0000000001790000-0x0000000003187000-memory.dmp

Filesize
26.0MB

Download
memory/4364-134-0x0000000000400000-0x0000000001783000-memory.dmp

Filesize
19.5MB

Download