guloader | 4a30f84c5fc555603a11244bf58e1a01bacfc09047068f942d48d674a1375c6d | Triage

Sharing

Copy URL Twitter E-mail

General

Target

NEAS.4a30f84c5fc555603a11244bf58e1a01bacfc09047068f942d48d674a1375c6dexe_JC.exe
Size

387KB
Sample

231007-v1zcbagd88
MD5

f80d07045b8aba5de2ba621910e001ac
SHA1

91d543054f3fb15f5ca7ce2ff0b447b548d7a90b
SHA256

4a30f84c5fc555603a11244bf58e1a01bacfc09047068f942d48d674a1375c6d
SHA512

76a99da6cf3bf7cb2547de99d1c183213113774098402567b39bb04f7a7b80db2c04b78b3ac1f824e71e633cec8a9891f40f5e4b6f1b90727ad78228b7fcc615
SSDEEP

6144:IqaFH+9KGmy45F3aK5/FnSHKqcnHfuPodNgDzBQxCrjNqms5IbPhalnKay:I5Lvh59j/FnLqSHfnNMdrjNm5IUlnKD

Score

10^/10

guloader xworm downloader persistence rat trojan

Malware Config

Targets

- Target
  
  NEAS.4a30f84c5fc555603a11244bf58e1a01bacfc09047068f942d48d674a1375c6dexe_JC.exe
- Size
  
  387KB
- MD5
  
  f80d07045b8aba5de2ba621910e001ac
- SHA1
  
  91d543054f3fb15f5ca7ce2ff0b447b548d7a90b
- SHA256
  
  4a30f84c5fc555603a11244bf58e1a01bacfc09047068f942d48d674a1375c6d
- SHA512
  
  76a99da6cf3bf7cb2547de99d1c183213113774098402567b39bb04f7a7b80db2c04b78b3ac1f824e71e633cec8a9891f40f5e4b6f1b90727ad78228b7fcc615
- SSDEEP
  
  6144:IqaFH+9KGmy45F3aK5/FnSHKqcnHfuPodNgDzBQxCrjNqms5IbPhalnKay:I5Lvh59j/FnLqSHfnNMdrjNm5IUlnKD
Score

10^/10

guloader downloader persistence xworm rat trojan
- Detect Xworm Payload
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

guloaderdownloaderpersistence

behavioral2

guloaderxwormdownloaderpersistencerattrojan