Overview

overview

10

Static

static

3

6b2874507f...03.exe

windows7-x64

7

6b2874507f...03.exe

windows10-2004-x64

10

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6b2874507fc8b7782d11f202840850ba6edd8befbb8c163c4d53775fb8d20603.exe

  • Size

    549KB

  • Sample

    240426-bnanmsgg5z

  • MD5

    4621fea50e1982e6f753efe7d1be2b35

  • SHA1

    46072b07bfa96583ed03149a04411cbcf04eadf9

  • SHA256

    6b2874507fc8b7782d11f202840850ba6edd8befbb8c163c4d53775fb8d20603

  • SHA512

    301e380d9e207caa7e994b251e2018207851a32f0c1850b3de669742c9d640d5254640d972e0143bc99e8cb2e3728bb7878814e66498928ff777d26c9bd206f5

  • SSDEEP

    12288:8stfWr2zXogHMSwOdJ1JUTrNuVwik2Mx/DvMAM++:8st+r2zXZ/dJyrNuuik2yDc++

Score
10/10
guloaderdownloaderpersistence

Malware Config

Targets

    • Target

      6b2874507fc8b7782d11f202840850ba6edd8befbb8c163c4d53775fb8d20603.exe

    • Size

      549KB

    • MD5

      4621fea50e1982e6f753efe7d1be2b35

    • SHA1

      46072b07bfa96583ed03149a04411cbcf04eadf9

    • SHA256

      6b2874507fc8b7782d11f202840850ba6edd8befbb8c163c4d53775fb8d20603

    • SHA512

      301e380d9e207caa7e994b251e2018207851a32f0c1850b3de669742c9d640d5254640d972e0143bc99e8cb2e3728bb7878814e66498928ff777d26c9bd206f5

    • SSDEEP

      12288:8stfWr2zXogHMSwOdJ1JUTrNuVwik2Mx/DvMAM++:8st+r2zXZ/dJyrNuuik2yDc++

    Score
    10/10
    guloaderdownloaderpersistence

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      5aa38904acdcc21a2fb8a1d30a72d92f

    • SHA1

      a9ce7d1456698921791db91347dba0489918d70c

    • SHA256

      10675f13abaee592f14382349aa35d82fb52aab4e27eef61d0c83dec1f6b73da

    • SHA512

      f04740da561d7cd0dea5e839c9e1c339d4a3e63944d3566c94c921a3d170a69918a32dff3f3b43f13d55cc25a2dbb4c21104f062c324308ac5104179766402a3

    • SSDEEP

      96:AOBtEB2flLkatAthPZJoi9jpfW/er6cBbcB/NFyVOHd0+uHwEX:AhB2flXAVJtjf6cBbcB/N8Ved0PZ

    Score
    3/10
    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks