guloader | b4e586ae4fe78a41c0da390b0b7d9e054e93cf62e5f06f9fd62ed946aae0930c

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 19:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Connectible.exe
Size

1.2MB
MD5

40437f4bc8980c7b1aeb9aebc64de972
SHA1

54ec92ddbfdc8ed68591e1563745eedb651c7f29
SHA256

b4e586ae4fe78a41c0da390b0b7d9e054e93cf62e5f06f9fd62ed946aae0930c
SHA512

fd001d0698fe2a7221882005a4e557a1e020b3366688a015370c40214cd29348002286cd6e7a0a8ea2912ba6c671068e82fac5062d8bfa42375a89a5d104159b
SSDEEP

24576:gqG+Vm6IaJe7vTz8Nk95ACjKC4onl8Q3wlRjMPybTJmU8:LGP6IaJe7nSIACjKCxl13ojMPybl6

Score

10^/10

guloader downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	Connectible.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	Connectible.exe

Loads dropped DLL 1 IoCs

pid	Process
3816	Connectible.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3816	Connectible.exe
2996	Connectible.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3816 set thread context of 2996	3816	Connectible.exe	99

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3816	Connectible.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3816 wrote to memory of 2996	3816	Connectible.exe	99
PID 3816 wrote to memory of 2996	3816	Connectible.exe	99
PID 3816 wrote to memory of 2996	3816	Connectible.exe	99
PID 3816 wrote to memory of 2996	3816	Connectible.exe	99
PID 3816 wrote to memory of 2996	3816	Connectible.exe	99

C:\Users\Admin\AppData\Local\Temp\Connectible.exe
"C:\Users\Admin\AppData\Local\Temp\Connectible.exe"
1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3816
- C:\Users\Admin\AppData\Local\Temp\Connectible.exe
  "C:\Users\Admin\AppData\Local\Temp\Connectible.exe"
  2⤵
  - Checks QEMU agent file
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsf925E.tmp\System.dll

Filesize
11KB

MD5
b0c77267f13b2f87c084fd86ef51ccfc

SHA1
f7543f9e9b4f04386dfbf33c38cbed1bf205afb3

SHA256
a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77

SHA512
f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e

Download Submit
memory/2996-26-0x00000000774E8000-0x00000000774E9000-memory.dmp

Filesize
4KB

Download
memory/2996-23-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/2996-24-0x0000000001660000-0x0000000004096000-memory.dmp

Filesize
42.2MB

Download
memory/2996-25-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/2996-27-0x0000000001660000-0x0000000004096000-memory.dmp

Filesize
42.2MB

Download
memory/2996-28-0x0000000077505000-0x0000000077506000-memory.dmp

Filesize
4KB

Download
memory/2996-38-0x0000000077461000-0x0000000077581000-memory.dmp

Filesize
1.1MB

Download
memory/3816-19-0x00000000041C0000-0x0000000006BF6000-memory.dmp

Filesize
42.2MB

Download
memory/3816-20-0x0000000077461000-0x0000000077581000-memory.dmp

Filesize
1.1MB

Download
memory/3816-21-0x0000000077461000-0x0000000077581000-memory.dmp

Filesize
1.1MB

Download
memory/3816-22-0x00000000742C0000-0x00000000742C6000-memory.dmp

Filesize
24KB

Download
memory/3816-18-0x00000000041C0000-0x0000000006BF6000-memory.dmp

Filesize
42.2MB

Download