guloader | 30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40

Analysis

max time kernel
127s
max time network
130s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
05-10-2022 00:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40.exe
Size

380KB
MD5

a6c3eaa47e2d0922063f85495282b1e3
SHA1

5fa0211414a8b535c4db767cb2f417264b0d3628
SHA256

30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40
SHA512

30c35fc4c95b6c9bb60ef7f4d00ed72d49c0601dc63d63db35cff1ecbc293e731ffd2f54d37c63e5aff26b898fe9cd01b81259e5b8574d7151e65466f22f7f5a
SSDEEP

6144:2qaFH+9LrEb6qlZokYZvVaxh7kY4TNryt5x+NAPskxrlIsNq1kCPIsQlw3OeAK6U:25IQrvY4LvxgAPskYb1XIDlw+zK6U

Score

10^/10

guloader lokibot collection downloader spyware stealer trojan

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40.exe30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40.exe

Loads dropped DLL 1 IoCs

Processes:

30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40.exe

pid process

2744 30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40.exe
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40.exe
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40.exe

pid	process
2956	30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40.exe
2956	30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40.exe30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40.exe

pid	process
2744	30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40.exe
2956	30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40.exe

description	pid	process	target process
PID 2744 set thread context of 2956	2744	30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40.exe	30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40.exe

Drops file in Program Files directory 1 IoCs

Processes:

30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\Cydon.Pre	30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3220 2956 WerFault.exe 30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40.exe

pid process

2744 30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40.exe

pid	pid_target	process	target process
3220	2956	WerFault.exe	30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40.exe

description	pid	process	target process
PID 2744 wrote to memory of 2956	2744	30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40.exe	30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40.exe
PID 2744 wrote to memory of 2956	2744	30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40.exe	30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40.exe
PID 2744 wrote to memory of 2956	2744	30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40.exe	30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40.exe
PID 2744 wrote to memory of 2956	2744	30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40.exe	30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40.exe

outlook_office_path 1 IoCs

Processes:

30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40.exe

outlook_win_path 1 IoCs

Processes:

30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40.exe

C:\Users\Admin\AppData\Local\Temp\30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40.exe
"C:\Users\Admin\AppData\Local\Temp\30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40.exe"
1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2744

C:\Users\Admin\AppData\Local\Temp\30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40.exe
"C:\Users\Admin\AppData\Local\Temp\30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40.exe"
2⤵
- Checks QEMU agent file
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- outlook_office_path
- outlook_win_path
PID:2956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 1672
3⤵
- Program crash
PID:3220

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsaC857.tmp\System.dll
Filesize
11KB

MD5
ee260c45e97b62a5e42f17460d406068

SHA1
df35f6300a03c4d3d3bd69752574426296b78695

SHA256
e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27

SHA512
a98f350d17c9057f33e5847462a87d59cbf2aaeda7f6299b0d49bb455e484ce4660c12d2eb8c4a0d21df523e729222bbd6c820bf25b081bc7478152515b414b3

Download Submit
memory/2744-120-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-121-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-122-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-123-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-124-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-125-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-126-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-127-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-128-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-129-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-130-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-132-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-131-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-133-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-134-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-135-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-136-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-137-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-138-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-139-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-140-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-141-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-142-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-144-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-145-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-147-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-149-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-150-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-148-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-146-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-143-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-151-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-152-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-153-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-154-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-155-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-156-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-157-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-158-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-159-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-160-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-161-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-162-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-163-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-164-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-166-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-165-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-167-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-168-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-169-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-171-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-172-0x0000000004980000-0x0000000004A81000-memory.dmp

Filesize
1.0MB

Download
memory/2744-173-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-174-0x0000000004980000-0x0000000004A81000-memory.dmp

Filesize
1.0MB

Download
memory/2744-175-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-176-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-177-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-178-0x00007FFCD17B0000-0x00007FFCD198B000-memory.dmp

Filesize
1.9MB

Download
memory/2744-179-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-182-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2744-259-0x0000000004980000-0x0000000004A81000-memory.dmp

Filesize
1.0MB

Download
memory/2956-180-0x00000000004032A0-mapping.dmp

Download
memory/2956-181-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2956-183-0x0000000000400000-0x0000000001783000-memory.dmp

Filesize
19.5MB

Download
memory/2956-185-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2956-186-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2956-187-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2956-188-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2956-189-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2956-190-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2956-206-0x0000000001790000-0x0000000001890000-memory.dmp

Filesize
1024KB

Download
memory/2956-208-0x0000000001790000-0x0000000001890000-memory.dmp

Filesize
1024KB

Download
memory/2956-232-0x00007FFCD17B0000-0x00007FFCD198B000-memory.dmp

Filesize
1.9MB

Download
memory/2956-234-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2956-260-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/2956-261-0x0000000001790000-0x0000000001890000-memory.dmp

Filesize
1024KB

Download