General

  • Target

    guloader.bin

  • Size

    209KB

  • Sample

    231227-d8hwvsace5

  • MD5

    2b40b86c870ab6b0e9b08f26bd231e1a

  • SHA1

    78a6fc51761c25fe571fec37ca4beaa13d7b5d48

  • SHA256

    6c9c9bd77d704ca8c48a0125289e0e15e75f62f09d40ffad58a24bd96c3a57c0

  • SHA512

    ee585115ff7a99ff169915199cbc904529e53bf139d0423f28df5fd41714c01928150442fef33ae364ac6209c2bb62e285c1cf88b9202272cc0eec11780eb4d1

  • SSDEEP

    3072:UwdK6g8IT9xE5GWp1icKAArDZz4N9GhbkrNEk1ACBynjTy9d41bd0XF:VK6g8ITep0yN90QE44joX

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

i638

Decoy

serenitynailandspanj.com

health-dodo.com

agjordan.net

retro-kids.com

bobbygoldsports.com

seitai-kuuto369.com

sooga.club

ezsweswrwy68.biz

1006e.com

libinyu.com

prolinkdm.com

pilysc.com

blim.xyz

eshop-dekorax.com

timestretchmusic.com

bs6351.com

diamondmoodle.com

antioxida.com

sakugastudios.com

metaverse-coaching.com

Targets

    • Target

      guloader.bin

    • Size

      209KB

    • MD5

      2b40b86c870ab6b0e9b08f26bd231e1a

    • SHA1

      78a6fc51761c25fe571fec37ca4beaa13d7b5d48

    • SHA256

      6c9c9bd77d704ca8c48a0125289e0e15e75f62f09d40ffad58a24bd96c3a57c0

    • SHA512

      ee585115ff7a99ff169915199cbc904529e53bf139d0423f28df5fd41714c01928150442fef33ae364ac6209c2bb62e285c1cf88b9202272cc0eec11780eb4d1

    • SSDEEP

      3072:UwdK6g8IT9xE5GWp1icKAArDZz4N9GhbkrNEk1ACBynjTy9d41bd0XF:VK6g8ITep0yN90QE44joX

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • Xloader payload

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks