General
-
Target
guloader.bin
-
Size
209KB
-
Sample
231227-d8hwvsace5
-
MD5
2b40b86c870ab6b0e9b08f26bd231e1a
-
SHA1
78a6fc51761c25fe571fec37ca4beaa13d7b5d48
-
SHA256
6c9c9bd77d704ca8c48a0125289e0e15e75f62f09d40ffad58a24bd96c3a57c0
-
SHA512
ee585115ff7a99ff169915199cbc904529e53bf139d0423f28df5fd41714c01928150442fef33ae364ac6209c2bb62e285c1cf88b9202272cc0eec11780eb4d1
-
SSDEEP
3072:UwdK6g8IT9xE5GWp1icKAArDZz4N9GhbkrNEk1ACBynjTy9d41bd0XF:VK6g8ITep0yN90QE44joX
Static task
static1
Behavioral task
behavioral1
Sample
guloader.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
guloader.exe
Resource
win10v2004-20231215-en
Malware Config
Extracted
xloader
2.5
i638
serenitynailandspanj.com
health-dodo.com
agjordan.net
retro-kids.com
bobbygoldsports.com
seitai-kuuto369.com
sooga.club
ezsweswrwy68.biz
1006e.com
libinyu.com
prolinkdm.com
pilysc.com
blim.xyz
eshop-dekorax.com
timestretchmusic.com
bs6351.com
diamondmoodle.com
antioxida.com
sakugastudios.com
metaverse-coaching.com
motometics.com
illumination-garage.com
thelocalsproject.com
erealestater.com
frankenamazing.com
arab-enterprises.com
e15datadev.com
bet365star.online
bttextiles.com
originaltradebot.icu
test-testjisdnsec.net
cloudwerx.digital
gsjbd10.club
joshuaearp.xyz
tvaluehelp.com
quietplaceintheforest.com
refinanceforblue.com
voiceoftour.com
civicinfluence.com
taxation-resources.com
regeneration.land
gogit.net
spicynipples.com
goldingravel.com
selingoo.com
aaryantech.com
insight-j.com
drivenbylight.net
meipassion.com
scuolapadelroma.store
929671.com
parkerdazzle.com
yehudi-meshutaf.com
johnsonforsheriff2022.com
pointhunteracademy.com
kyliiejenner.com
tenlog066.xyz
dobylife.com
josemanueldelbusto.com
vspfrme.com
256571.com
crossovertest.net
fullcurlcnc.com
theworldisheroyster.com
thesocialmediacreator.com
Targets
-
-
Target
guloader.bin
-
Size
209KB
-
MD5
2b40b86c870ab6b0e9b08f26bd231e1a
-
SHA1
78a6fc51761c25fe571fec37ca4beaa13d7b5d48
-
SHA256
6c9c9bd77d704ca8c48a0125289e0e15e75f62f09d40ffad58a24bd96c3a57c0
-
SHA512
ee585115ff7a99ff169915199cbc904529e53bf139d0423f28df5fd41714c01928150442fef33ae364ac6209c2bb62e285c1cf88b9202272cc0eec11780eb4d1
-
SSDEEP
3072:UwdK6g8IT9xE5GWp1icKAArDZz4N9GhbkrNEk1ACBynjTy9d41bd0XF:VK6g8ITep0yN90QE44joX
-
Xloader payload
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-