guloader | 19b6b6474d7c1f9b4dceac97c5e04973c2c6a9f0fa5db557aac4c2822251ffe8

General

Target

SecuriteInfo.com.Mal.Generic-S.31559.exe
Size

405KB
MD5

ec9b172ab41e8140d3f4410d391a5cf2
SHA1

3f233527ae66b9f8ba1541b6111ec740fb64894a
SHA256

19b6b6474d7c1f9b4dceac97c5e04973c2c6a9f0fa5db557aac4c2822251ffe8
SHA512

44fc91192aa9bb6f007bb68beb1555c40c7014683c7992fb74ec095be0bc5232fa19904f7bd500dbe3a7b16c218e9ebd7eaafea3dfaaf1699dc086796a8ff3b0
SSDEEP

6144:EEh9vQptxn/AcN4nSVzhYCk1QNvy+guHJsw/KhCd8bA6+JEo9TWMrGg:ERfTiSzM+5pEAKbA6IE0/p

Score

10^/10

guloader lokibot collection downloader spyware stealer trojan

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	SecuriteInfo.com.Mal.Generic-S.31559.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	SecuriteInfo.com.Mal.Generic-S.31559.exe

Loads dropped DLL 2 IoCs

pid	Process
1044	SecuriteInfo.com.Mal.Generic-S.31559.exe
1044	SecuriteInfo.com.Mal.Generic-S.31559.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	SecuriteInfo.com.Mal.Generic-S.31559.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	SecuriteInfo.com.Mal.Generic-S.31559.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	SecuriteInfo.com.Mal.Generic-S.31559.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
1972	SecuriteInfo.com.Mal.Generic-S.31559.exe
1972	SecuriteInfo.com.Mal.Generic-S.31559.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1044	SecuriteInfo.com.Mal.Generic-S.31559.exe
1972	SecuriteInfo.com.Mal.Generic-S.31559.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1044 set thread context of 1972	1044	SecuriteInfo.com.Mal.Generic-S.31559.exe	27

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Yes.Trd	SecuriteInfo.com.Mal.Generic-S.31559.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1044	SecuriteInfo.com.Mal.Generic-S.31559.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1972	SecuriteInfo.com.Mal.Generic-S.31559.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1972	SecuriteInfo.com.Mal.Generic-S.31559.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 1972	1044	SecuriteInfo.com.Mal.Generic-S.31559.exe	27
PID 1044 wrote to memory of 1972	1044	SecuriteInfo.com.Mal.Generic-S.31559.exe	27
PID 1044 wrote to memory of 1972	1044	SecuriteInfo.com.Mal.Generic-S.31559.exe	27
PID 1044 wrote to memory of 1972	1044	SecuriteInfo.com.Mal.Generic-S.31559.exe	27
PID 1044 wrote to memory of 1972	1044	SecuriteInfo.com.Mal.Generic-S.31559.exe	27

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	SecuriteInfo.com.Mal.Generic-S.31559.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	SecuriteInfo.com.Mal.Generic-S.31559.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Mal.Generic-S.31559.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Mal.Generic-S.31559.exe"
1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Mal.Generic-S.31559.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Mal.Generic-S.31559.exe"
  2⤵
  - Checks QEMU agent file
  - Accesses Microsoft Outlook profiles
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:1972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nst3A06.tmp\Math.dll

Filesize
171KB

MD5
6842d53e7b4e7d3f0cd2e45fe4616320

SHA1
f7b8d00938d81c1dd93e40c2c19fe3512bf3bf0c

SHA256
03a6d1477f124fd0c01b605a5ba14049a9b6ab33f8f0c467c1391ded90679de5

SHA512
c2cb00eaf298a44cffd38843e88310f1f73cff1ae1d41a6a66a0c304adabbfffd1c66d545ee01a0630edb3c267e94020d254a0b9d698b8b0f39d4dfe7ad59f48

Download Submit
\Users\Admin\AppData\Local\Temp\nst3A06.tmp\System.dll

Filesize
12KB

MD5
637e1fa13012a78922b6e98efc0b12e2

SHA1
8012d44e42cd6d813ea63d5ccbf190fe72e3c778

SHA256
703e17d30a91775f8ddc2648b537fc846fad6415589a503a4529c36f60a17439

SHA512
932ed6a52e89c4fa587a7c0c3903d69cf89a32dbd46ed8dcb251abb6c15192d92b1f624c31f0e4bd3e9bf95fc1a55fdb7cee9dd668e1b4f22ddb95786c063e96

Download Submit
memory/1044-64-0x0000000077940000-0x0000000077AC0000-memory.dmp

Filesize
1.5MB

Download
memory/1044-70-0x0000000003A00000-0x0000000003B3B000-memory.dmp

Filesize
1.2MB

Download
memory/1044-58-0x0000000003A00000-0x0000000003B3B000-memory.dmp

Filesize
1.2MB

Download
memory/1044-59-0x0000000077760000-0x0000000077909000-memory.dmp

Filesize
1.7MB

Download
memory/1044-57-0x0000000003A00000-0x0000000003B3B000-memory.dmp

Filesize
1.2MB

Download
memory/1044-71-0x0000000077940000-0x0000000077AC0000-memory.dmp

Filesize
1.5MB

Download
memory/1044-54-0x00000000756A1000-0x00000000756A3000-memory.dmp

Filesize
8KB

Download
memory/1972-66-0x0000000077760000-0x0000000077909000-memory.dmp

Filesize
1.7MB

Download
memory/1972-69-0x0000000077940000-0x0000000077AC0000-memory.dmp

Filesize
1.5MB

Download
memory/1972-65-0x00000000001C0000-0x00000000002C0000-memory.dmp

Filesize
1024KB

Download
memory/1972-63-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1972-72-0x0000000077940000-0x0000000077AC0000-memory.dmp

Filesize
1.5MB

Download
memory/1972-73-0x0000000077940000-0x0000000077AC0000-memory.dmp

Filesize
1.5MB

Download
memory/1972-74-0x00000000001C0000-0x00000000002C0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing