guloader | 4ef528f41c74b287a3bc8bcb4cf1cde16d54b0fbdffe11e845e5aa2b656dc961

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-01-2022 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b31fdfb032644bcb1f8b072f4dc5e11a.exe
Size

197KB
MD5

b31fdfb032644bcb1f8b072f4dc5e11a
SHA1

1f4213eeaf0990d62b6c46ea8f29026c1555bc1a
SHA256

4ef528f41c74b287a3bc8bcb4cf1cde16d54b0fbdffe11e845e5aa2b656dc961
SHA512

653a701f4ed1cecd6081e800ec50300a11ac1b927b32192deef796176e655f287bf5024279f0e2821ab5ee62cbc6ac24155b12a9be637dd1c199209289f05087

Score

10^/10

guloader lokibot pony collection discovery downloader rat spyware stealer trojan

Malware Config

Extracted

Family

lokibot

http://windowssecuritycheck.gdn/gx/l/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

pony

http://windowssecuritycheck.gdn/gx/p/gate.php

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

DRAMATIS.com

pid process

816 DRAMATIS.com

pid	process
816	DRAMATIS.com

Checks QEMU agent file 2 TTPs 4 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b31fdfb032644bcb1f8b072f4dc5e11a.exeb31fdfb032644bcb1f8b072f4dc5e11a.exeDRAMATIS.comDRAMATIS.com

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	b31fdfb032644bcb1f8b072f4dc5e11a.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	b31fdfb032644bcb1f8b072f4dc5e11a.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	DRAMATIS.com
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	DRAMATIS.com

Loads dropped DLL 4 IoCs

Processes:

b31fdfb032644bcb1f8b072f4dc5e11a.exeDRAMATIS.comDRAMATIS.com

pid process

832 b31fdfb032644bcb1f8b072f4dc5e11a.exe
832 b31fdfb032644bcb1f8b072f4dc5e11a.exe
816 DRAMATIS.com
1160 DRAMATIS.com
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
832	b31fdfb032644bcb1f8b072f4dc5e11a.exe
832	b31fdfb032644bcb1f8b072f4dc5e11a.exe
816	DRAMATIS.com
1160	DRAMATIS.com

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

DRAMATIS.com

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	DRAMATIS.com

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

b31fdfb032644bcb1f8b072f4dc5e11a.exeDRAMATIS.com

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	b31fdfb032644bcb1f8b072f4dc5e11a.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	b31fdfb032644bcb1f8b072f4dc5e11a.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	b31fdfb032644bcb1f8b072f4dc5e11a.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	DRAMATIS.com

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtCreateThreadExHideFromDebugger 4 IoCs

Processes:

b31fdfb032644bcb1f8b072f4dc5e11a.exeDRAMATIS.com

pid process

832 b31fdfb032644bcb1f8b072f4dc5e11a.exe
832 b31fdfb032644bcb1f8b072f4dc5e11a.exe
1160 DRAMATIS.com
1160 DRAMATIS.com
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

b31fdfb032644bcb1f8b072f4dc5e11a.exeb31fdfb032644bcb1f8b072f4dc5e11a.exeDRAMATIS.comDRAMATIS.com

pid process

1668 b31fdfb032644bcb1f8b072f4dc5e11a.exe
832 b31fdfb032644bcb1f8b072f4dc5e11a.exe
816 DRAMATIS.com
1160 DRAMATIS.com

pid	process
832	b31fdfb032644bcb1f8b072f4dc5e11a.exe
832	b31fdfb032644bcb1f8b072f4dc5e11a.exe
1160	DRAMATIS.com
1160	DRAMATIS.com

pid	process
1668	b31fdfb032644bcb1f8b072f4dc5e11a.exe
832	b31fdfb032644bcb1f8b072f4dc5e11a.exe
816	DRAMATIS.com
1160	DRAMATIS.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

b31fdfb032644bcb1f8b072f4dc5e11a.exeDRAMATIS.com

description	pid	process	target process
PID 1668 set thread context of 832	1668	b31fdfb032644bcb1f8b072f4dc5e11a.exe	b31fdfb032644bcb1f8b072f4dc5e11a.exe
PID 816 set thread context of 1160	816	DRAMATIS.com	DRAMATIS.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

b31fdfb032644bcb1f8b072f4dc5e11a.exeDRAMATIS.com

pid process

1668 b31fdfb032644bcb1f8b072f4dc5e11a.exe
816 DRAMATIS.com
Suspicious behavior: RenamesItself 1 IoCs

Processes:

b31fdfb032644bcb1f8b072f4dc5e11a.exe

pid process

832 b31fdfb032644bcb1f8b072f4dc5e11a.exe

pid	process
1668	b31fdfb032644bcb1f8b072f4dc5e11a.exe
816	DRAMATIS.com

pid	process
832	b31fdfb032644bcb1f8b072f4dc5e11a.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

b31fdfb032644bcb1f8b072f4dc5e11a.exeDRAMATIS.com

description	pid	process
Token: SeDebugPrivilege	832	b31fdfb032644bcb1f8b072f4dc5e11a.exe
Token: SeImpersonatePrivilege	1160	DRAMATIS.com
Token: SeTcbPrivilege	1160	DRAMATIS.com
Token: SeChangeNotifyPrivilege	1160	DRAMATIS.com
Token: SeCreateTokenPrivilege	1160	DRAMATIS.com
Token: SeBackupPrivilege	1160	DRAMATIS.com
Token: SeRestorePrivilege	1160	DRAMATIS.com
Token: SeIncreaseQuotaPrivilege	1160	DRAMATIS.com
Token: SeAssignPrimaryTokenPrivilege	1160	DRAMATIS.com
Token: SeImpersonatePrivilege	1160	DRAMATIS.com
Token: SeTcbPrivilege	1160	DRAMATIS.com
Token: SeChangeNotifyPrivilege	1160	DRAMATIS.com
Token: SeCreateTokenPrivilege	1160	DRAMATIS.com
Token: SeBackupPrivilege	1160	DRAMATIS.com
Token: SeRestorePrivilege	1160	DRAMATIS.com
Token: SeIncreaseQuotaPrivilege	1160	DRAMATIS.com
Token: SeAssignPrimaryTokenPrivilege	1160	DRAMATIS.com
Token: SeImpersonatePrivilege	1160	DRAMATIS.com
Token: SeTcbPrivilege	1160	DRAMATIS.com
Token: SeChangeNotifyPrivilege	1160	DRAMATIS.com
Token: SeCreateTokenPrivilege	1160	DRAMATIS.com
Token: SeBackupPrivilege	1160	DRAMATIS.com
Token: SeRestorePrivilege	1160	DRAMATIS.com
Token: SeIncreaseQuotaPrivilege	1160	DRAMATIS.com
Token: SeAssignPrimaryTokenPrivilege	1160	DRAMATIS.com
Token: SeImpersonatePrivilege	1160	DRAMATIS.com
Token: SeTcbPrivilege	1160	DRAMATIS.com
Token: SeChangeNotifyPrivilege	1160	DRAMATIS.com
Token: SeCreateTokenPrivilege	1160	DRAMATIS.com
Token: SeBackupPrivilege	1160	DRAMATIS.com
Token: SeRestorePrivilege	1160	DRAMATIS.com
Token: SeIncreaseQuotaPrivilege	1160	DRAMATIS.com
Token: SeAssignPrimaryTokenPrivilege	1160	DRAMATIS.com

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

b31fdfb032644bcb1f8b072f4dc5e11a.exeDRAMATIS.com

pid process

1668 b31fdfb032644bcb1f8b072f4dc5e11a.exe
816 DRAMATIS.com

pid	process
1668	b31fdfb032644bcb1f8b072f4dc5e11a.exe
816	DRAMATIS.com

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

b31fdfb032644bcb1f8b072f4dc5e11a.exeb31fdfb032644bcb1f8b072f4dc5e11a.exeDRAMATIS.comDRAMATIS.com

description	pid	process	target process
PID 1668 wrote to memory of 832	1668	b31fdfb032644bcb1f8b072f4dc5e11a.exe	b31fdfb032644bcb1f8b072f4dc5e11a.exe
PID 1668 wrote to memory of 832	1668	b31fdfb032644bcb1f8b072f4dc5e11a.exe	b31fdfb032644bcb1f8b072f4dc5e11a.exe
PID 1668 wrote to memory of 832	1668	b31fdfb032644bcb1f8b072f4dc5e11a.exe	b31fdfb032644bcb1f8b072f4dc5e11a.exe
PID 1668 wrote to memory of 832	1668	b31fdfb032644bcb1f8b072f4dc5e11a.exe	b31fdfb032644bcb1f8b072f4dc5e11a.exe
PID 1668 wrote to memory of 832	1668	b31fdfb032644bcb1f8b072f4dc5e11a.exe	b31fdfb032644bcb1f8b072f4dc5e11a.exe
PID 832 wrote to memory of 816	832	b31fdfb032644bcb1f8b072f4dc5e11a.exe	DRAMATIS.com
PID 832 wrote to memory of 816	832	b31fdfb032644bcb1f8b072f4dc5e11a.exe	DRAMATIS.com
PID 832 wrote to memory of 816	832	b31fdfb032644bcb1f8b072f4dc5e11a.exe	DRAMATIS.com
PID 832 wrote to memory of 816	832	b31fdfb032644bcb1f8b072f4dc5e11a.exe	DRAMATIS.com
PID 816 wrote to memory of 1160	816	DRAMATIS.com	DRAMATIS.com
PID 816 wrote to memory of 1160	816	DRAMATIS.com	DRAMATIS.com
PID 816 wrote to memory of 1160	816	DRAMATIS.com	DRAMATIS.com
PID 816 wrote to memory of 1160	816	DRAMATIS.com	DRAMATIS.com
PID 816 wrote to memory of 1160	816	DRAMATIS.com	DRAMATIS.com
PID 1160 wrote to memory of 1684	1160	DRAMATIS.com	cmd.exe
PID 1160 wrote to memory of 1684	1160	DRAMATIS.com	cmd.exe
PID 1160 wrote to memory of 1684	1160	DRAMATIS.com	cmd.exe
PID 1160 wrote to memory of 1684	1160	DRAMATIS.com	cmd.exe

outlook_office_path 1 IoCs

Processes:

b31fdfb032644bcb1f8b072f4dc5e11a.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	b31fdfb032644bcb1f8b072f4dc5e11a.exe

outlook_win_path 1 IoCs

Processes:

DRAMATIS.com

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	DRAMATIS.com

C:\Users\Admin\AppData\Local\Temp\b31fdfb032644bcb1f8b072f4dc5e11a.exe
"C:\Users\Admin\AppData\Local\Temp\b31fdfb032644bcb1f8b072f4dc5e11a.exe"
1⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1668

C:\Users\Admin\AppData\Local\Temp\b31fdfb032644bcb1f8b072f4dc5e11a.exe
"C:\Users\Admin\AppData\Local\Temp\b31fdfb032644bcb1f8b072f4dc5e11a.exe"
2⤵
- Checks QEMU agent file
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
PID:832

C:\Users\Admin\AppData\Local\Temp\DRAMATIS.com
"C:\Users\Admin\AppData\Local\Temp\DRAMATIS.com"
3⤵
- Executes dropped EXE
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:816

C:\Users\Admin\AppData\Local\Temp\DRAMATIS.com
"C:\Users\Admin\AppData\Local\Temp\DRAMATIS.com"
4⤵
- Checks QEMU agent file
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:1160

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\259490596.bat" "C:\Users\Admin\AppData\Local\Temp\DRAMATIS.com" "
5⤵
PID:1684

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259490596.bat
MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRAMATIS.com
MD5
4d658370321465f62feef44746a5b7e0

SHA1
899a2cde5f9f6885fab0e97bed7ebc5ab68a5d52

SHA256
c90b2b849ae98bd11605bdfbd61c267b2889320ee222473c21a312de41facd1b

SHA512
204743550425f87e6be775f91a089d75320b970abd46d0917404ce0768f46a56a1b5dadfe407462fa35acfbe3318daed65c86bb660e0a49f9688ee94275f0f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRAMATIS.com
MD5
4d658370321465f62feef44746a5b7e0

SHA1
899a2cde5f9f6885fab0e97bed7ebc5ab68a5d52

SHA256
c90b2b849ae98bd11605bdfbd61c267b2889320ee222473c21a312de41facd1b

SHA512
204743550425f87e6be775f91a089d75320b970abd46d0917404ce0768f46a56a1b5dadfe407462fa35acfbe3318daed65c86bb660e0a49f9688ee94275f0f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRAMATIS.com
MD5
4d658370321465f62feef44746a5b7e0

SHA1
899a2cde5f9f6885fab0e97bed7ebc5ab68a5d52

SHA256
c90b2b849ae98bd11605bdfbd61c267b2889320ee222473c21a312de41facd1b

SHA512
204743550425f87e6be775f91a089d75320b970abd46d0917404ce0768f46a56a1b5dadfe407462fa35acfbe3318daed65c86bb660e0a49f9688ee94275f0f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\oWd6XQZBhARVHwO1QZW240
MD5
f97264a5d29376aadd091cb8880bf4e4

SHA1
1641d112c7f0f31ccff1b9ccab6222d245642e27

SHA256
5bd919690a6400c82da06969c65988a748945cbf3fd6f4ed803884ba516e4bd2

SHA512
6badc1c7bd2b5dad04ff809f0ea6e3a590a777fcaef4750e873bdaea24afd9ce4cc5e1190811632c12f9d6a5cfd67e0b449060fd1811bd55e8863f3a5620b0e2

Download Submit
\Users\Admin\AppData\Local\Temp\DRAMATIS.com
MD5
4d658370321465f62feef44746a5b7e0

SHA1
899a2cde5f9f6885fab0e97bed7ebc5ab68a5d52

SHA256
c90b2b849ae98bd11605bdfbd61c267b2889320ee222473c21a312de41facd1b

SHA512
204743550425f87e6be775f91a089d75320b970abd46d0917404ce0768f46a56a1b5dadfe407462fa35acfbe3318daed65c86bb660e0a49f9688ee94275f0f59

Download Submit
\Users\Admin\AppData\Local\Temp\DRAMATIS.com
MD5
4d658370321465f62feef44746a5b7e0

SHA1
899a2cde5f9f6885fab0e97bed7ebc5ab68a5d52

SHA256
c90b2b849ae98bd11605bdfbd61c267b2889320ee222473c21a312de41facd1b

SHA512
204743550425f87e6be775f91a089d75320b970abd46d0917404ce0768f46a56a1b5dadfe407462fa35acfbe3318daed65c86bb660e0a49f9688ee94275f0f59

Download Submit
\Users\Admin\AppData\Local\Temp\DRAMATIS.com
MD5
4d658370321465f62feef44746a5b7e0

SHA1
899a2cde5f9f6885fab0e97bed7ebc5ab68a5d52

SHA256
c90b2b849ae98bd11605bdfbd61c267b2889320ee222473c21a312de41facd1b

SHA512
204743550425f87e6be775f91a089d75320b970abd46d0917404ce0768f46a56a1b5dadfe407462fa35acfbe3318daed65c86bb660e0a49f9688ee94275f0f59

Download Submit
memory/816-84-0x0000000077320000-0x00000000774A0000-memory.dmp

Filesize
1.5MB

Download
memory/816-74-0x0000000000250000-0x0000000000278000-memory.dmp

Filesize
160KB

Download
memory/816-85-0x0000000077320000-0x00000000774A0000-memory.dmp

Filesize
1.5MB

Download
memory/816-82-0x0000000077140000-0x00000000772E9000-memory.dmp

Filesize
1.7MB

Download
memory/832-66-0x0000000077140000-0x00000000772E9000-memory.dmp

Filesize
1.7MB

Download
memory/832-63-0x00000000001B0000-0x0000000000350000-memory.dmp

Filesize
1.6MB

Download
memory/832-75-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/832-62-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/832-67-0x0000000077320000-0x00000000774A0000-memory.dmp

Filesize
1.5MB

Download
memory/1160-86-0x00000000001B0000-0x00000000002B0000-memory.dmp

Filesize
1024KB

Download
memory/1160-90-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1160-89-0x0000000077140000-0x00000000772E9000-memory.dmp

Filesize
1.7MB

Download
memory/1668-61-0x0000000077320000-0x00000000774A0000-memory.dmp

Filesize
1.5MB

Download
memory/1668-56-0x0000000000270000-0x0000000000298000-memory.dmp

Filesize
160KB

Download
memory/1668-60-0x0000000077140000-0x00000000772E9000-memory.dmp

Filesize
1.7MB

Download
memory/1668-58-0x0000000075B51000-0x0000000075B53000-memory.dmp

Filesize
8KB

Download