guloader | 03586e23f1a37a4d85fe6a626d7b4af3c0041f4ea304dcb695bc6e03d525b6e1

Analysis

max time kernel
14s
max time network
147s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 04:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

288884ac625f7cc93a396d875bfd7a89.exe
Size

4.8MB
MD5

288884ac625f7cc93a396d875bfd7a89
SHA1

5653b63b175e075d615a4f95296a3a8bdf816376
SHA256

03586e23f1a37a4d85fe6a626d7b4af3c0041f4ea304dcb695bc6e03d525b6e1
SHA512

9d5fe7bd4745d8fc3693a0bf482ae26b07ab4a529bb8fc8b8ed355c304f547c1520e15a57272c23a713cba8252abe58160d07088c474af144d8226a83c49b05a
SSDEEP

12288:tuBdmV5bzGwzHGwTHbnH1BrCHkn7CwzRhWQCHi:tuDCQwiwH1BWnghWHi

Score

10^/10

guloader downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	288884ac625f7cc93a396d875bfd7a89.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	ieinstal.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3036	288884ac625f7cc93a396d875bfd7a89.exe
2844	ieinstal.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3036 set thread context of 2844	3036	288884ac625f7cc93a396d875bfd7a89.exe	28

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3036	288884ac625f7cc93a396d875bfd7a89.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3036	288884ac625f7cc93a396d875bfd7a89.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 2844	3036	288884ac625f7cc93a396d875bfd7a89.exe	28
PID 3036 wrote to memory of 2844	3036	288884ac625f7cc93a396d875bfd7a89.exe	28
PID 3036 wrote to memory of 2844	3036	288884ac625f7cc93a396d875bfd7a89.exe	28
PID 3036 wrote to memory of 2844	3036	288884ac625f7cc93a396d875bfd7a89.exe	28
PID 3036 wrote to memory of 2844	3036	288884ac625f7cc93a396d875bfd7a89.exe	28
PID 3036 wrote to memory of 2844	3036	288884ac625f7cc93a396d875bfd7a89.exe	28
PID 3036 wrote to memory of 2844	3036	288884ac625f7cc93a396d875bfd7a89.exe	28
PID 3036 wrote to memory of 2844	3036	288884ac625f7cc93a396d875bfd7a89.exe	28

C:\Users\Admin\AppData\Local\Temp\288884ac625f7cc93a396d875bfd7a89.exe
"C:\Users\Admin\AppData\Local\Temp\288884ac625f7cc93a396d875bfd7a89.exe"
1⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Program Files (x86)\internet explorer\ieinstal.exe
  "C:\Users\Admin\AppData\Local\Temp\288884ac625f7cc93a396d875bfd7a89.exe"
  2⤵
  - Checks QEMU agent file
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2844-5-0x00000000002A0000-0x00000000003A0000-memory.dmp

Filesize
1024KB

Download
memory/2844-6-0x00000000002A0000-0x00000000003A0000-memory.dmp

Filesize
1024KB

Download
memory/2844-8-0x0000000076F80000-0x0000000077056000-memory.dmp

Filesize
856KB

Download
memory/2844-7-0x0000000076D90000-0x0000000076F39000-memory.dmp

Filesize
1.7MB

Download
memory/2844-10-0x00000000002A0000-0x00000000003A0000-memory.dmp

Filesize
1024KB

Download
memory/2844-11-0x0000000076D90000-0x0000000076F39000-memory.dmp

Filesize
1.7MB

Download
memory/3036-2-0x00000000001E0000-0x00000000001F0000-memory.dmp

Filesize
64KB

Download
memory/3036-4-0x0000000076F80000-0x0000000077056000-memory.dmp

Filesize
856KB

Download
memory/3036-3-0x0000000076D90000-0x0000000076F39000-memory.dmp

Filesize
1.7MB

Download
memory/3036-9-0x00000000001E0000-0x00000000001F0000-memory.dmp

Filesize
64KB

Download
memory/3036-12-0x00000000001E0000-0x00000000001F0000-memory.dmp

Filesize
64KB

Download