guloader | 2122bc20e4c6f98a7044e7263ea66bab43ef57c7937013fcce1f340bdbe0b986

General

Target

Shipment wk017 Note.exe
Size

136KB
MD5

888dc51206a6512e8aa6cb60a7012029
SHA1

8bf815c49cf4a369bbdf6a8cedcf893c0c634d47
SHA256

e63e3587e1c98a2512669f1a8a31c594f18eb8087e9ff413cba99e849315566a
SHA512

5d913afd3f61e33d0e37fac4aeaf1506af072d501d8b6c9f1bb4385399e2e3d312b338ebebd6332f74f48ae183469321b63db8d495cec0ff9a05bb24fa10fb4d

Score

10^/10

guloader lokibot downloader guloader spyware stealer trojan

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Guloader Payload 3 IoCs

guloader

Processes:

resource	yara_rule
behavioral2/memory/2232-116-0x00000000001C0000-0x00000000001CD000-memory.dmp	family_guloader
behavioral2/memory/3520-117-0x00000000004016C4-mapping.dmp	family_guloader
behavioral2/memory/3520-120-0x0000000000560000-0x0000000000660000-memory.dmp	family_guloader

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Shipment wk017 Note.exeShipment wk017 Note.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	Shipment wk017 Note.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	Shipment wk017 Note.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

Shipment wk017 Note.exeShipment wk017 Note.exe

pid process

2232 Shipment wk017 Note.exe
3520 Shipment wk017 Note.exe
3520 Shipment wk017 Note.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Shipment wk017 Note.exe

description pid process target process

PID 2232 set thread context of 3520 2232 Shipment wk017 Note.exe Shipment wk017 Note.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Shipment wk017 Note.exe

pid process

2232 Shipment wk017 Note.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

Shipment wk017 Note.exe

pid process

3520 Shipment wk017 Note.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Shipment wk017 Note.exe

description pid process

Token: SeDebugPrivilege 3520 Shipment wk017 Note.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Shipment wk017 Note.exe

pid process

2232 Shipment wk017 Note.exe

pid	process
2232	Shipment wk017 Note.exe
3520	Shipment wk017 Note.exe
3520	Shipment wk017 Note.exe

description	pid	process	target process
PID 2232 set thread context of 3520	2232	Shipment wk017 Note.exe	Shipment wk017 Note.exe

pid	process
2232	Shipment wk017 Note.exe

pid	process
3520	Shipment wk017 Note.exe

description	pid	process
Token: SeDebugPrivilege	3520	Shipment wk017 Note.exe

pid	process
2232	Shipment wk017 Note.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Shipment wk017 Note.exe

description	pid	process	target process
PID 2232 wrote to memory of 3520	2232	Shipment wk017 Note.exe	Shipment wk017 Note.exe
PID 2232 wrote to memory of 3520	2232	Shipment wk017 Note.exe	Shipment wk017 Note.exe
PID 2232 wrote to memory of 3520	2232	Shipment wk017 Note.exe	Shipment wk017 Note.exe
PID 2232 wrote to memory of 3520	2232	Shipment wk017 Note.exe	Shipment wk017 Note.exe

C:\Users\Admin\AppData\Local\Temp\Shipment wk017 Note.exe
"C:\Users\Admin\AppData\Local\Temp\Shipment wk017 Note.exe"
1⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2232

C:\Users\Admin\AppData\Local\Temp\Shipment wk017 Note.exe
"C:\Users\Admin\AppData\Local\Temp\Shipment wk017 Note.exe"
2⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:3520

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2232-116-0x00000000001C0000-0x00000000001CD000-memory.dmp

Filesize
52KB

Download
memory/3520-117-0x00000000004016C4-mapping.dmp

Download
memory/3520-118-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/3520-119-0x0000000000401000-0x00000000004FD000-memory.dmp

Filesize
1008KB

Download
memory/3520-120-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/3520-122-0x0000000000403000-0x0000000000404000-memory.dmp

Filesize
4KB

Download
memory/3520-123-0x0000000000402000-0x0000000000403000-memory.dmp

Filesize
4KB

Download
memory/3520-121-0x0000000000413000-0x0000000000414000-memory.dmp

Filesize
4KB

Download
memory/3520-125-0x0000000000414000-0x0000000000415000-memory.dmp

Filesize
4KB

Download
memory/3520-124-0x0000000000405000-0x0000000000406000-memory.dmp

Filesize
4KB

Download
memory/3520-126-0x0000000000404000-0x0000000000405000-memory.dmp

Filesize
4KB

Download
memory/3520-128-0x0000000000412000-0x0000000000413000-memory.dmp

Filesize
4KB

Download
memory/3520-127-0x0000000000406000-0x0000000000407000-memory.dmp

Filesize
4KB

Download
memory/3520-129-0x0000000000409000-0x000000000040A000-memory.dmp

Filesize
4KB

Download
memory/3520-131-0x0000000000407000-0x0000000000408000-memory.dmp

Filesize
4KB

Download
memory/3520-130-0x000000000040C000-0x000000000040D000-memory.dmp

Filesize
4KB

Download
memory/3520-132-0x0000000000408000-0x0000000000409000-memory.dmp

Filesize
4KB

Download
memory/3520-134-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/3520-136-0x000000000040E000-0x000000000040F000-memory.dmp

Filesize
4KB

Download
memory/3520-133-0x000000000040D000-0x000000000040E000-memory.dmp

Filesize
4KB

Download
memory/3520-135-0x000000000040F000-0x0000000000410000-memory.dmp

Filesize
4KB

Download
memory/3520-137-0x0000000000411000-0x0000000000412000-memory.dmp

Filesize
4KB

Download
memory/3520-139-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/3520-138-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/3520-154-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads