guloader | 60e1a6a93ad368ac92dd0f02f2416e1a0eb5cd3d441a2df8704225bd94fbaad2

Resubmissions

03-10-2022 05:31

221003-f7s2jsbbdr 10

05-09-2022 07:41

220905-jh5wladcak 10

Analysis

max time kernel
135s
max time network
150s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-10-2022 05:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Request for Quote (Waseda University) 05- 09-2022.exe
Size

558KB
MD5

a1e9139a63b33375b3c2ab70b8fed769
SHA1

da835d5d7ca257b776a8616b365e41084724771c
SHA256

60e1a6a93ad368ac92dd0f02f2416e1a0eb5cd3d441a2df8704225bd94fbaad2
SHA512

43b9e35aa0713ec56876f7bca3e7af9c0a7828b0b6867ea15b609aeed7445501d9546b8ae2908c736b55dbc790dd651e0709de33bd70d4c2b226a69b4afe0a3a
SSDEEP

12288:40SKoJ47FnSzRDnhfbrf+rwr5Do1Q3buie+Dhhr0ZTPHnIDqmhQmuH:lLocFnS1Dnhf2k1JfeeXr0ZHIFK

Score

10^/10

guloader lokibot collection discovery downloader spyware stealer trojan

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Request for Quote (Waseda University) 05- 09-2022.exeRequest for Quote (Waseda University) 05- 09-2022.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	Request for Quote (Waseda University) 05- 09-2022.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	Request for Quote (Waseda University) 05- 09-2022.exe

Loads dropped DLL 2 IoCs

Processes:

Request for Quote (Waseda University) 05- 09-2022.exe

pid process

1720 Request for Quote (Waseda University) 05- 09-2022.exe
1720 Request for Quote (Waseda University) 05- 09-2022.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1720	Request for Quote (Waseda University) 05- 09-2022.exe
1720	Request for Quote (Waseda University) 05- 09-2022.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Request for Quote (Waseda University) 05- 09-2022.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Request for Quote (Waseda University) 05- 09-2022.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	Request for Quote (Waseda University) 05- 09-2022.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Request for Quote (Waseda University) 05- 09-2022.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

Request for Quote (Waseda University) 05- 09-2022.exe

pid process

1792 Request for Quote (Waseda University) 05- 09-2022.exe
1792 Request for Quote (Waseda University) 05- 09-2022.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Request for Quote (Waseda University) 05- 09-2022.exeRequest for Quote (Waseda University) 05- 09-2022.exe

pid process

1720 Request for Quote (Waseda University) 05- 09-2022.exe
1792 Request for Quote (Waseda University) 05- 09-2022.exe

pid	process
1792	Request for Quote (Waseda University) 05- 09-2022.exe
1792	Request for Quote (Waseda University) 05- 09-2022.exe

pid	process
1720	Request for Quote (Waseda University) 05- 09-2022.exe
1792	Request for Quote (Waseda University) 05- 09-2022.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Request for Quote (Waseda University) 05- 09-2022.exe

description	pid	process	target process
PID 1720 set thread context of 1792	1720	Request for Quote (Waseda University) 05- 09-2022.exe	Request for Quote (Waseda University) 05- 09-2022.exe

Drops file in Program Files directory 1 IoCs

Processes:

Request for Quote (Waseda University) 05- 09-2022.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\Pterygopharyngeal\Magnoliers.Ral	Request for Quote (Waseda University) 05- 09-2022.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Request for Quote (Waseda University) 05- 09-2022.exe

pid process

1720 Request for Quote (Waseda University) 05- 09-2022.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Request for Quote (Waseda University) 05- 09-2022.exe

description pid process

Token: SeDebugPrivilege 1792 Request for Quote (Waseda University) 05- 09-2022.exe

pid	process
1720	Request for Quote (Waseda University) 05- 09-2022.exe

description	pid	process
Token: SeDebugPrivilege	1792	Request for Quote (Waseda University) 05- 09-2022.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

Request for Quote (Waseda University) 05- 09-2022.exe

description	pid	process	target process
PID 1720 wrote to memory of 1792	1720	Request for Quote (Waseda University) 05- 09-2022.exe	Request for Quote (Waseda University) 05- 09-2022.exe
PID 1720 wrote to memory of 1792	1720	Request for Quote (Waseda University) 05- 09-2022.exe	Request for Quote (Waseda University) 05- 09-2022.exe
PID 1720 wrote to memory of 1792	1720	Request for Quote (Waseda University) 05- 09-2022.exe	Request for Quote (Waseda University) 05- 09-2022.exe
PID 1720 wrote to memory of 1792	1720	Request for Quote (Waseda University) 05- 09-2022.exe	Request for Quote (Waseda University) 05- 09-2022.exe
PID 1720 wrote to memory of 1792	1720	Request for Quote (Waseda University) 05- 09-2022.exe	Request for Quote (Waseda University) 05- 09-2022.exe

outlook_office_path 1 IoCs

Processes:

Request for Quote (Waseda University) 05- 09-2022.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Request for Quote (Waseda University) 05- 09-2022.exe

outlook_win_path 1 IoCs

Processes:

Request for Quote (Waseda University) 05- 09-2022.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Request for Quote (Waseda University) 05- 09-2022.exe

C:\Users\Admin\AppData\Local\Temp\Request for Quote (Waseda University) 05- 09-2022.exe
"C:\Users\Admin\AppData\Local\Temp\Request for Quote (Waseda University) 05- 09-2022.exe"
1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1720

C:\Users\Admin\AppData\Local\Temp\Request for Quote (Waseda University) 05- 09-2022.exe
"C:\Users\Admin\AppData\Local\Temp\Request for Quote (Waseda University) 05- 09-2022.exe"
2⤵
- Checks QEMU agent file
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1792

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsd5B2D.tmp\Math.dll
Filesize
169KB

MD5
66f2ce4302893b92295223ed9b5e5e5e

SHA1
e27dc596fe1e2fa5416f3f490c6f2f0b9b5b3077

SHA256
2b05d1dfcf3a57ac6e6ef326611a13f8934b9c56d4e75d65d5e301d2793e09bb

SHA512
38aa695cd86d38af41dfe444faf46707e28141ed1fea636d515fc785a15eadc560a6a30270fde2e5a759dec4d1ff4ee22b5079fd21312eff5974cac76b9720b7

Download Submit
\Users\Admin\AppData\Local\Temp\nsd5B2D.tmp\System.dll
Filesize
11KB

MD5
2e07bbddc0912b77cac77afe9d9035ee

SHA1
33a4646191dd25c034b5223ebfed761969301710

SHA256
97ace5ce4e05225db3c1345a2d1b5fa7d2281bb51fc5aa2d34c186befa9e000f

SHA512
56c5793b01a1e5c356db005d9833d4c6f703204cff5dbb4613620cd1a90ef5acf91c3e7654295e9f63732a104d83fb471483c188449d75d8c009a81a544fe388

Download Submit
memory/1720-71-0x0000000077560000-0x00000000776E0000-memory.dmp

Filesize
1.5MB

Download
memory/1720-57-0x0000000002500000-0x000000000314A000-memory.dmp

Filesize
12.3MB

Download
memory/1720-59-0x0000000077380000-0x0000000077529000-memory.dmp

Filesize
1.7MB

Download
memory/1720-60-0x0000000077560000-0x00000000776E0000-memory.dmp

Filesize
1.5MB

Download
memory/1720-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1720-63-0x0000000077560000-0x00000000776E0000-memory.dmp

Filesize
1.5MB

Download
memory/1792-62-0x00000000004034F0-mapping.dmp

Download
memory/1792-65-0x00000000001C0000-0x00000000002C0000-memory.dmp

Filesize
1024KB

Download
memory/1792-68-0x00000000001C0000-0x00000000002C0000-memory.dmp

Filesize
1024KB

Download
memory/1792-69-0x0000000077380000-0x0000000077529000-memory.dmp

Filesize
1.7MB

Download
memory/1792-70-0x0000000077560000-0x00000000776E0000-memory.dmp

Filesize
1.5MB

Download
memory/1792-64-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download