Overview

overview

10

Static

static

1

3c5f563b53...ee.vbe

windows7-x64

10

3c5f563b53...ee.vbe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    27b373a50962c2f8fe26274c147195cd.bin

  • Size

    5KB

  • Sample

    240626-csqq4aygmc

  • MD5

    74de81a35f9a37849a248a07cb5ee402

  • SHA1

    7aba75d6fa000f5c02815038c6c7a3fab6e99d31

  • SHA256

    eef6091f5ac8b814e3a4398dc822e5f22e3be47500c18b9074d51269927158f7

  • SHA512

    6fca2f13eb0ef4bee03c21ca0c05f0206bc0704cc3ca37892e4bc770e44db2728e11bc443816b0a51f5b3d82774a0bbebe35682e596a9e5b239403066f17ccc2

  • SSDEEP

    96:60Ne1y/ktV/iq84yRfUp2ZCI89GPe0oAzA6Eq7WepF35xrwQPGqzp/PL2QOZwF:zOyEVqTXRfUp2ZT7PDo6AKpF3XrSoT2u

Score
10/10
guloaderdownloaderexecutionpersistence

Malware Config

Targets

    • Target

      3c5f563b531f76c538885b14a185f975e7400b4acb28a03fd950333516861eee.vbe

    • Size

      9KB

    • MD5

      27b373a50962c2f8fe26274c147195cd

    • SHA1

      1bba2d71036d371f78d628ac9c6cc13221d9ee89

    • SHA256

      3c5f563b531f76c538885b14a185f975e7400b4acb28a03fd950333516861eee

    • SHA512

      dde61a1a192e888bd47135be665678b2334efb8d860ec0ea2224e1d17b95da3cbdad3fb79eff428ae99e0514d8e301d2b424c54127f8f621889e95a4ed888111

    • SSDEEP

      192:pzu36F4teCvSV/mcS36C2W3E11hEAGst4QoKVYHva607dqh2eyTxN8mSVqn:436Se4z36A3cDt/Rdb8miqn

    Score
    10/10
    guloaderdownloaderexecutionpersistence

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Adds Run key to start application

      persistence

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks