Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
04-02-2025 13:08
General
-
Target
Request for Quotation_0202025_pdf.exe
-
Size
859KB
-
MD5
e8d824d5dc4a54bab80b87ffc437f736
-
SHA1
41cfb942e1e7e344d721924526ccf066a9372153
-
SHA256
03fcc5d97d3ff4e8fb734aed8c29e0e4680f3f27ddbd67acf90d2c5bac259960
-
SHA512
7492ec3ccad3cf663680cf9b4979e0e7186c345e7150cb74af5cff942c4dea3cd7a0e23c21a57713e69a41cc87c0c523064dc6e6b5d01fc7e06773b6127e8ed8
-
SSDEEP
24576:QPyqE0GP4TqyTbZtOgbsf/iuReqr/sblNP9ExO:IE0YybZ4KWp/sblNVE8
Malware Config
Signatures
-
Guloader family
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
-
Disables Task Manager via registry modification
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Request for Quotation_0202025_pdf.exe"C:\Users\Admin\AppData\Local\Temp\Request for Quotation_0202025_pdf.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Request for Quotation_0202025_pdf.exe"C:\Users\Admin\AppData\Local\Temp\Request for Quotation_0202025_pdf.exe"2⤵
- Modifies Windows Defender DisableAntiSpyware settings
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD5e83f9982d02f51d90ccb3e999ac89a95
SHA131a80a514244ac340625fe21fba299235f130cfc
SHA25613cbbda804872162ff79fa0681d1dc828f803ca60247e9be06975ea21910af62
SHA5129db2aa9509971a6e5fa9289a7f37db3cf67e4285c768e0d0181687f2f35a5d120afb70e023c2c52752b2eb58dbeadfacdf7eb303164baf77f06add2c9866f743
-
Filesize
1KB
MD5f610d881cc961004cf8d24a0816e8dd8
SHA1174a3369daf4ada4850c27cd724087d952260ad1
SHA256e1158410177f05e9a77dcd51172af9af42a3d2b38e295d6fcbee9a22e5c392aa
SHA512a93ef7dd08c2b13f4a403c7aed807ac2adedd3a16931cd931a9fbb40f96952937a4a4bb38a9c1b9344c113aed8516c0f67677a2285face2bbb729a5bde6a3ad9
-
Filesize
11KB
MD5a4dd044bcd94e9b3370ccf095b31f896
SHA117c78201323ab2095bc53184aa8267c9187d5173
SHA2562e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc
SHA51287335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a
-
Filesize
77.4MB
-
Filesize
1.7MB
-
Filesize
16.4MB
-
Filesize
16.4MB
-
Filesize
77.4MB
-
Filesize
120KB
-
Filesize
1.7MB
-
Filesize
1.0MB
