Overview

overview

10

Static

static

3

Original c...cs.exe

windows7-x64

10

Original c...cs.exe

windows10-2004-x64

10

pic05678063.exe

windows7-x64

10

pic05678063.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e8384166957076efd104eaf0443b1cda502c5d6e3bdc3f0ea4764b5adb77ee16

  • Size

    60KB

  • Sample

    241121-ynt4lszqbj

  • MD5

    365b2c4ceb407b718259bcdb645071f3

  • SHA1

    b419e462e61007469718280974b59a487462b033

  • SHA256

    e8384166957076efd104eaf0443b1cda502c5d6e3bdc3f0ea4764b5adb77ee16

  • SHA512

    1d0cce1c8282892c91d80940e25ce48eef26fac07b551c1b1d58c9273b6ae8c9163fccf4a536c3a2a32aa8201fa1ccdcb9061c49d68379e561d282dd00984a08

  • SSDEEP

    1536:UQMAjlNUdTNvNP+bcynwzzfI4jhVxneawfydc8cz9:rlopvNmb5eI4fIawfqc8C

Score
10/10
guloaderdiscoverydownloader

Malware Config

Extracted

Family

guloader

C2

https://drive.google.com/uc?export=download&id=1eS7ZjBeF8dblWu1ZZ1U1CF4vescWndHE

https://drive.google.com/uc?export=download&id=1xAtgeY-y0Ovf41LpAmat5XPeHwnWyI0P
xor.base64
xor.base64

Targets

    • Target

      Original copies of shipment docs.exe

    • Size

      92KB

    • MD5

      8b96af7d76b487cea6aa04f565b8cb9f

    • SHA1

      3e904fec3e82c9f01ccc64fbdcde35d306c6147f

    • SHA256

      49559dd2c1d9b0841f3384f3080013f8d644760d45ab7cd4fb4928bb2b91f354

    • SHA512

      786140d030095ce5c0865c21e049c8572e3ee5ec78eadebb15611a4b0f59bac995a306f14e85cd30506cd7661819d3d6a3fe43e4ac714fceb9e0c0991f171790

    • SSDEEP

      768:DUN8RIPdfSAxqFpdyNmqsNjl+mF2AdJVmyzXUsRVVWmZjrFLaH/hQ:ANJEjd+bAlJFvNzksRCQjhGK

    Score
    10/10
    guloaderdiscoverydownloader

    • Guloader family

      guloader

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      pic05678063.exe

    • Size

      92KB

    • MD5

      22b022a5547dbc1c9bcfb8e4d7eb440f

    • SHA1

      952b628cb42495baf73c468d509f249d55aa7966

    • SHA256

      c2544476ab17fd3fb816a97f08f16548a73c106cca80e1f5e185086d25a9f414

    • SHA512

      c1a8f88047f91c4ad9b0e916d17f2c32c3fa080208d1eb77cab0ce57bb8594337d324bf99275bca1c5eb89d5dcf5898ccefa9de83efbe9a3beb2369ac6355c76

    • SSDEEP

      1536:RHR4uv4MRD+wmxH+2POAGcS5g0nhS61D4B:9ym+dRnC5g0ns61kB

    Score
    10/10
    guloaderdiscoverydownloader

    • Guloader family

      guloader

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks