Overview

overview

10

Static

static

3

Payment_Sl...29.exe

windows7-x64

10

Payment_Sl...29.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    28-07-2024 21:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Payment_Slip_2020190002602329.exe

  • Size

    52KB

  • MD5

    6b7ebf98238c64023780fe69743da21d

  • SHA1

    42c3203593d4814c8f14b6b706b7009f226e2eb7

  • SHA256

    35787807345e104b2fc93883c3d54925d876b4c6a03153110acd9cf86f655459

  • SHA512

    16f33b6edf612a3ee3580ecaf5abfd015687c0306323f4428c2dbf8610d3409ef379fa4e749efa7615b14759f8c54ecd7e52760d851c9d1a27c1229ec1a76aea

  • SSDEEP

    768:ZQeVfWGZg7Pz4lihPd2g+8Y1Vb5ENmC1amAgOciaWHKJIp:ZNVrg70if1YTwmC17A/DaWHxp

Score
10/10
guloaderdiscoverydownloaderguloader

Malware Config

Extracted

Family

guloader

C2

https://drive.google.com/uc?export=download&id=1N8EyzMe4Ew_jAHmVr_vmlyMkeUvV7TUH

xor.base64

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Guloader payload 2 IoCs
    guloader
  • Checks QEMU agent file 2 TTPs 1 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Payment_Slip_2020190002602329.exe
    "C:\Users\Admin\AppData\Local\Temp\Payment_Slip_2020190002602329.exe"
    1⤵
    • Checks QEMU agent file
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    PID:1124

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1124-3-0x0000000077351000-0x0000000077452000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1124-2-0x0000000000280000-0x0000000000288000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1124-4-0x0000000077350000-0x00000000774F9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1124-5-0x0000000000280000-0x0000000000288000-memory.dmp

    Filesize

    32KB

    Download