guloader | faeb846f5c806316e74d1961fbdeccb4842b58fa3c9a431d29ec1ffb37340a98

General

Target

REQUEST FOR BID 06-09-2022·pdf.exe
Size

559KB
MD5

b794d1262f443b4e8ee47e513ca542f9
SHA1

9a586d9929b816f73b92c798348f2ae223c3ad22
SHA256

faeb846f5c806316e74d1961fbdeccb4842b58fa3c9a431d29ec1ffb37340a98
SHA512

f6d84d4bcaad7508521c93b75778c335e256f91f913524311836ce198519d1d2665aaf56dc19ca9fe54fb6efcd38c10e513660bcd27dd77c8e4609b13c3096f4
SSDEEP

12288:K0SKoJ47FnBVsfXx62E+rwr5Do1Q3buie+Dhhr0ZTPHnIDqmhQmuto8:DLocFnBSXfk1JfeeXr0ZHIFao8

Score

10^/10

guloader nanocore discovery downloader keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

press042.hopto.org:2535

Mutex

edbdf99a-2ffe-48fa-80c4-0486150dac33

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
buffer_size
65535
build_time
2022-06-18T10:09:49.146252736Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
2535
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
edbdf99a-2ffe-48fa-80c4-0486150dac33
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
press042.hopto.org
primary_dns_server
press042.hopto.org
request_elevation
true
restart_delay
5000
run_delay
14
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

REQUEST FOR BID 06-09-2022·pdf.execaspol.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	REQUEST FOR BID 06-09-2022·pdf.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	caspol.exe

Loads dropped DLL 2 IoCs

Processes:

REQUEST FOR BID 06-09-2022·pdf.exe

pid process

1968 REQUEST FOR BID 06-09-2022·pdf.exe
1968 REQUEST FOR BID 06-09-2022·pdf.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

caspol.exe

pid process

1528 caspol.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

REQUEST FOR BID 06-09-2022·pdf.execaspol.exe

pid process

1968 REQUEST FOR BID 06-09-2022·pdf.exe
1528 caspol.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

REQUEST FOR BID 06-09-2022·pdf.exe

description pid process target process

PID 1968 set thread context of 1528 1968 REQUEST FOR BID 06-09-2022·pdf.exe caspol.exe

pid	process
1968	REQUEST FOR BID 06-09-2022·pdf.exe
1968	REQUEST FOR BID 06-09-2022·pdf.exe

pid	process
1528	caspol.exe

pid	process
1968	REQUEST FOR BID 06-09-2022·pdf.exe
1528	caspol.exe

description	pid	process	target process
PID 1968 set thread context of 1528	1968	REQUEST FOR BID 06-09-2022·pdf.exe	caspol.exe

Drops file in Program Files directory 1 IoCs

Processes:

REQUEST FOR BID 06-09-2022·pdf.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\Pterygopharyngeal\Magnoliers.Ral	REQUEST FOR BID 06-09-2022·pdf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2008 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

caspol.exe

pid process

1528 caspol.exe
1528 caspol.exe
1528 caspol.exe
1528 caspol.exe
1528 caspol.exe
1528 caspol.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

caspol.exe

pid process

1528 caspol.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

REQUEST FOR BID 06-09-2022·pdf.exe

pid process

1968 REQUEST FOR BID 06-09-2022·pdf.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

caspol.exe

description pid process

Token: SeDebugPrivilege 1528 caspol.exe

pid	process
2008	schtasks.exe

pid	process
1528	caspol.exe
1528	caspol.exe
1528	caspol.exe
1528	caspol.exe
1528	caspol.exe
1528	caspol.exe

pid	process
1528	caspol.exe

pid	process
1968	REQUEST FOR BID 06-09-2022·pdf.exe

description	pid	process
Token: SeDebugPrivilege	1528	caspol.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

REQUEST FOR BID 06-09-2022·pdf.execaspol.exe

description	pid	process	target process
PID 1968 wrote to memory of 1528	1968	REQUEST FOR BID 06-09-2022·pdf.exe	caspol.exe
PID 1968 wrote to memory of 1528	1968	REQUEST FOR BID 06-09-2022·pdf.exe	caspol.exe
PID 1968 wrote to memory of 1528	1968	REQUEST FOR BID 06-09-2022·pdf.exe	caspol.exe
PID 1968 wrote to memory of 1528	1968	REQUEST FOR BID 06-09-2022·pdf.exe	caspol.exe
PID 1968 wrote to memory of 1528	1968	REQUEST FOR BID 06-09-2022·pdf.exe	caspol.exe
PID 1528 wrote to memory of 2008	1528	caspol.exe	schtasks.exe
PID 1528 wrote to memory of 2008	1528	caspol.exe	schtasks.exe
PID 1528 wrote to memory of 2008	1528	caspol.exe	schtasks.exe
PID 1528 wrote to memory of 2008	1528	caspol.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\REQUEST FOR BID 06-09-2022·pdf.exe
"C:\Users\Admin\AppData\Local\Temp\REQUEST FOR BID 06-09-2022·pdf.exe"
1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
"C:\Users\Admin\AppData\Local\Temp\REQUEST FOR BID 06-09-2022·pdf.exe"
2⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "UDP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5EE5.tmp"
3⤵
- Creates scheduled task(s)
PID:2008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5EE5.tmp
Filesize
1KB

MD5
497f298fc157762f192a7c42854c6fb6

SHA1
04bec630f5cc64ea17c0e3e780b3ccf15a35c6e0

SHA256
3462cbe62fbb64fc53a0fcf97e43baafe9dd9929204f586a86afe4b89d8048a6

SHA512
c7c6fd3097f4d1ccd313160fedf7cb031644e0836b8c3e25481095e5f4b003759bc84fc6ea9421e3a090e66dc2ff875fec2f394a386691ab178cb164733411b2

Download Submit
\Users\Admin\AppData\Local\Temp\nso7E28.tmp\Math.dll
Filesize
169KB

MD5
66f2ce4302893b92295223ed9b5e5e5e

SHA1
e27dc596fe1e2fa5416f3f490c6f2f0b9b5b3077

SHA256
2b05d1dfcf3a57ac6e6ef326611a13f8934b9c56d4e75d65d5e301d2793e09bb

SHA512
38aa695cd86d38af41dfe444faf46707e28141ed1fea636d515fc785a15eadc560a6a30270fde2e5a759dec4d1ff4ee22b5079fd21312eff5974cac76b9720b7

Download Submit
\Users\Admin\AppData\Local\Temp\nso7E28.tmp\System.dll
Filesize
11KB

MD5
2e07bbddc0912b77cac77afe9d9035ee

SHA1
33a4646191dd25c034b5223ebfed761969301710

SHA256
97ace5ce4e05225db3c1345a2d1b5fa7d2281bb51fc5aa2d34c186befa9e000f

SHA512
56c5793b01a1e5c356db005d9833d4c6f703204cff5dbb4613620cd1a90ef5acf91c3e7654295e9f63732a104d83fb471483c188449d75d8c009a81a544fe388

Download Submit
memory/1528-70-0x00000000777E0000-0x0000000077960000-memory.dmp

Filesize
1.5MB

Download
memory/1528-74-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1528-83-0x000000001D336000-0x000000001D347000-memory.dmp

Filesize
68KB

Download
memory/1528-62-0x00000000009D8A9E-mapping.dmp

Download
memory/1528-82-0x00000000736F0000-0x0000000073C9B000-memory.dmp

Filesize
5.7MB

Download
memory/1528-65-0x0000000000270000-0x0000000000370000-memory.dmp

Filesize
1024KB

Download
memory/1528-81-0x00000000777E0000-0x0000000077960000-memory.dmp

Filesize
1.5MB

Download
memory/1528-80-0x000000001D336000-0x000000001D347000-memory.dmp

Filesize
68KB

Download
memory/1528-67-0x0000000077600000-0x00000000777A9000-memory.dmp

Filesize
1.7MB

Download
memory/1528-75-0x00000000736F0000-0x0000000073C9B000-memory.dmp

Filesize
5.7MB

Download
memory/1528-71-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/1528-72-0x0000000000401000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/1968-64-0x00000000777E0000-0x0000000077960000-memory.dmp

Filesize
1.5MB

Download
memory/1968-54-0x0000000076141000-0x0000000076143000-memory.dmp

Filesize
8KB

Download
memory/1968-76-0x0000000003430000-0x000000000356B000-memory.dmp

Filesize
1.2MB

Download
memory/1968-77-0x00000000777E0000-0x0000000077960000-memory.dmp

Filesize
1.5MB

Download
memory/1968-57-0x0000000003430000-0x000000000356B000-memory.dmp

Filesize
1.2MB

Download
memory/1968-66-0x00000000777E0000-0x0000000077960000-memory.dmp

Filesize
1.5MB

Download
memory/1968-58-0x0000000003430000-0x000000000356B000-memory.dmp

Filesize
1.2MB

Download
memory/1968-63-0x00000000777E0000-0x0000000077960000-memory.dmp

Filesize
1.5MB

Download
memory/1968-59-0x0000000077600000-0x00000000777A9000-memory.dmp

Filesize
1.7MB

Download
memory/2008-78-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads