Extracted

• • Target

    Remesas Aceptadas_PDF.exe

  • Size

    353KB

  • MD5

    5eac01eb48b833581db348bc8ab49932

  • SHA1

    76adbcf9ffd7c737a513c61412c74a8acb9832d2

  • SHA256

    b48a5ebf4d21ce938606b70952e053ff15581a50d96e1e2cec000a8173edade3

  • SHA512

    dddf71de0f660ef623811091c95f7779ffb14e1974b7fe83c37be570cd5c731470be3d6d2cf67ff2745e7c756acb6cd208c552428a9ddd86e66ff9487d636b2d

  • SSDEEP

    6144:kQ606xiZ8/J8UwuB58YjMo3LNkW0IqWNhPyXgeXyy4WUviQX2EMKedJje:fZ8/Sg8doLOWJd7DdevK

  Score

  10^/10

  guloaderdownloader

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader

  • Checks QEMU agent file

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Loads dropped DLL

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2