guloader | a72167e93f3c86c49dcfb62116416dd94a3781933252f1e0096beba7973e2c3b

Analysis

max time kernel
142s
max time network
140s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/01/2023, 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe
Size

622KB
MD5

a1eb9b01ff7b80dac067728bc1476c55
SHA1

40be959c6151c3a224189045084c0c729540390d
SHA256

a72167e93f3c86c49dcfb62116416dd94a3781933252f1e0096beba7973e2c3b
SHA512

bde60cd01dcfcba0053279725c9cae50b3941c3471bc41eddf8e287934f8f11e2218d9d5245b2cabae5a7ca58f5f66aaf4bb76c908e9f4d0fe4e03224d60ca33
SSDEEP

12288:AcWJ+6nT8mlodoRNnKRpj25w3Ng1ADX9rMIbyyjRt:AXBn1lodo6jf3NgMBxOyj/

Score

10^/10

guloader marsstealer default discovery downloader spyware stealer

Malware Config

Extracted

Family

marsstealer

Botnet

Default

152.89.218.97/gate.php

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Mars Stealer
An infostealer written in C++ based on other infostealers.
stealer marsstealer

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe

Deletes itself 1 IoCs

pid	Process
568	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1532	SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe
968	SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe
968	SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Befalings\Zoocoenocyte73\Samordningsproblemers.ini	SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
968	SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1532	SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe
968	SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1532 set thread context of 968	1532	SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe	27

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Tennist\Retteskemaer\Udblst217\Bacillogenic.ini	SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
672	timeout.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1532	SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 968	1532	SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe	27
PID 1532 wrote to memory of 968	1532	SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe	27
PID 1532 wrote to memory of 968	1532	SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe	27
PID 1532 wrote to memory of 968	1532	SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe	27
PID 1532 wrote to memory of 968	1532	SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe	27
PID 968 wrote to memory of 568	968	SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe	30
PID 968 wrote to memory of 568	968	SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe	30
PID 968 wrote to memory of 568	968	SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe	30
PID 968 wrote to memory of 568	968	SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe	30
PID 568 wrote to memory of 672	568	cmd.exe	32
PID 568 wrote to memory of 672	568	cmd.exe	32
PID 568 wrote to memory of 672	568	cmd.exe	32
PID 568 wrote to memory of 672	568	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe"
1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe"
  2⤵
  - Checks QEMU agent file
  - Loads dropped DLL
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:968
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe" & exit
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:568
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\mozglue.dll

Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll

Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\Users\Admin\AppData\Local\Temp\nsiCAF.tmp\System.dll

Filesize
11KB

MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
memory/968-82-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/968-79-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/968-108-0x0000000001470000-0x0000000007313000-memory.dmp

Filesize
94.6MB

Download
memory/968-64-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/968-65-0x0000000001470000-0x0000000007313000-memory.dmp

Filesize
94.6MB

Download
memory/968-106-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/968-105-0x00000000770B0000-0x0000000077230000-memory.dmp

Filesize
1.5MB

Download
memory/968-68-0x0000000001470000-0x0000000007313000-memory.dmp

Filesize
94.6MB

Download
memory/968-69-0x0000000076ED0000-0x0000000077079000-memory.dmp

Filesize
1.7MB

Download
memory/968-72-0x00000000770B0000-0x0000000077230000-memory.dmp

Filesize
1.5MB

Download
memory/968-73-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/968-76-0x0000000000401000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/968-78-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/968-103-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/968-81-0x0000000076ED0000-0x0000000077079000-memory.dmp

Filesize
1.7MB

Download
memory/1532-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1532-80-0x00000000770B0000-0x0000000077230000-memory.dmp

Filesize
1.5MB

Download
memory/1532-58-0x0000000076ED0000-0x0000000077079000-memory.dmp

Filesize
1.7MB

Download
memory/1532-62-0x00000000770B0000-0x0000000077230000-memory.dmp

Filesize
1.5MB

Download
memory/1532-57-0x0000000002520000-0x000000000316A000-memory.dmp

Filesize
12.3MB

Download
memory/1532-66-0x00000000770B0000-0x0000000077230000-memory.dmp

Filesize
1.5MB

Download
memory/1532-67-0x00000000770B0000-0x0000000077230000-memory.dmp

Filesize
1.5MB

Download
memory/1532-56-0x0000000002520000-0x000000000316A000-memory.dmp

Filesize
12.3MB

Download
memory/1532-63-0x00000000770B0000-0x0000000077230000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads