guloader | fe62c3e75f40fdd55627df462b423c6f6004b26e454041ff115e755d1c26120b | Triage

Sharing

General

Target

fe62c3e75f40fdd55627df462b423c6f6004b26e454041ff115e755d1c26120b
Size

107KB
Sample

241121-yqxmhswlgy
MD5

5b8cd759af56daf685bf58673b7f1a9c
SHA1

a7593f03acd52cfbd15bfa24ba281ecb8dcd98d6
SHA256

fe62c3e75f40fdd55627df462b423c6f6004b26e454041ff115e755d1c26120b
SHA512

540184b570c1ee87160af463931e85c5aad5c6ddd8c2a8afd5c5828456a94843234f70a41e178bda224215752990a947a27826e450d4b23b11f09afb884bfd17
SSDEEP

1536:li9wQ+rziMl3ic1VtlnRVXPI/GboV/ZnYtZrYpEybIEnUVaD7+6P3Gmx+ddhYPLd:kMrzPl3Zsme5YnklbTUVm7+MGmx62LfF

Score

10^/10

guloader xloader i8be discovery downloader loader rat

Malware Config

Extracted

Family

guloader

C2

https://drive.google.com/uc?export=download&id=1-7CEqaIs0xr7KeLf1RsQKlZCjSlB91Jb

xor.base64

Extracted

Family

xloader

Version

2.3

Campaign

i8be

Decoy

cdymjim.icu

globalmilitaryaircraft.com

slusheestore.com

freepdfconvert.net

itadsweden.com

legenddocs.com

metholyptus.com

966cm.com

mobilitygloves-protect.com

travaze.net

go-kalisa.com

believehavefaith.com

nywebhost.com

semitsol.com

wowyuu.net

cochesb2b.com

gobesttobuy.com

senmec23.com

bmsgw.com

newazenterprise.com

Targets

- Target
  
  ATTACHED ORIGINAL REF __NOTE.exe
- Size
  
  252KB
- MD5
  
  995a9f0d72ee6407f3979543930d80ae
- SHA1
  
  8e38d89ab142ccbfb95952f873f49df56ab65055
- SHA256
  
  77a74587d301dfd79d5c60a874ac580e83c389e8566261f60b09d87cdffa2e38
- SHA512
  
  f72e8016c05880bc5a338266e5f4859b88c3c66b262264ce48fb30ca4efbf53eb6101579f46c4f83794ebb332a78e45bda8088b9707454b959a640b0b3278f1e
- SSDEEP
  
  3072:A1p9M3scGOWyLvr1f+lwYuJIVPUVJXgcAm6S6l7g98HimFx1zeBgxX:3nG1eJffYuJ4cVdx36Fl7U8mBe
Score

10^/10

guloader xloader i8be discovery downloader loader rat
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader family
  xloader
- Xloader payload
  rat
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Deletes itself
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

guloaderxloaderi8bediscoverydownloaderloaderrat

behavioral2

guloaderxloaderi8bediscoverydownloaderloaderrat