General
-
Target
APPROVED-GA_FRC-7X-and FRC11X BDRM 400X200-01.vbs
-
Size
46KB
-
Sample
231004-m412bada33
-
MD5
e5f1eb405ad0af5574827e743ce7cabb
-
SHA1
3e9997b9d33b6ca848804e0916b59819af7fa75c
-
SHA256
f14fd46f7f62723e98144e67a05ae32c82d4702151b528b0d08155d73f95d1e7
-
SHA512
465d957668d611afd7dd677b16004d049ed9c2cd204d1d3bfd2b17a6de12e77a88bfc94650d1f9335bc289064ae814c27b0e411a577ed395057bd4c6cf66bb37
-
SSDEEP
768:9wccYgMDWLqcAxfmWaJ7CArkx37LnciioAH4Lg0Erwi49eH0GqnwNXv6da+AKZlB:9DgM6WzYpkx33nFiavXiowNyda+jG4
Malware Config
Extracted
Protocol: smtp- Host:
mail.fbarrachina.com - Port:
587 - Username:
[email protected] - Password:
Ca$tellon2020a
Targets
-
-
Target
APPROVED-GA_FRC-7X-and FRC11X BDRM 400X200-01.vbs
-
Size
46KB
-
MD5
e5f1eb405ad0af5574827e743ce7cabb
-
SHA1
3e9997b9d33b6ca848804e0916b59819af7fa75c
-
SHA256
f14fd46f7f62723e98144e67a05ae32c82d4702151b528b0d08155d73f95d1e7
-
SHA512
465d957668d611afd7dd677b16004d049ed9c2cd204d1d3bfd2b17a6de12e77a88bfc94650d1f9335bc289064ae814c27b0e411a577ed395057bd4c6cf66bb37
-
SSDEEP
768:9wccYgMDWLqcAxfmWaJ7CArkx37LnciioAH4Lg0Erwi49eH0GqnwNXv6da+AKZlB:9DgM6WzYpkx33nFiavXiowNyda+jG4
Score10/10-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Blocklisted process makes network request
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-