guloader | 878d710875b07ec61bef0b198ba67bf81ad0730a3a483d5762cd18e13fb4b525

Analysis

max time kernel
149s
max time network
128s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
20-03-2023 09:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rFACTURA_FAC_2023_1-1000733.PDF.exe
Size

421KB
MD5

a6ef5ed777ba7369c2bb28e46b198ba6
SHA1

f707bc0343f41d95f57e776a9f85f6a2c5791aa7
SHA256

878d710875b07ec61bef0b198ba67bf81ad0730a3a483d5762cd18e13fb4b525
SHA512

3b0bbbf4199dfc669a75a8fb62cfa55423e2331358f43057219ee2a4099cc9c2b007d85b2cb1b6cd9c64d8d8421575690bed95556ca788cf13d6a53c96b3a2eb
SSDEEP

6144:B6bAcJvkzKmPPzS58G93IuZCBabjYBNwmlJ8kUEe/oqBaH0NxsvLg/nkrIak7r8m:a7ubCHICiwkBySs/vBGwxs0vh7rXN

Score

10^/10

guloader snakekeylogger collection discovery downloader keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.eversafe.pt
Port:
587
Username:
[email protected]
Password:
Ev3rsaf3_2021
Email To:
[email protected]

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 4 IoCs

resource	yara_rule
behavioral1/memory/588-103-0x0000000000400000-0x0000000000615000-memory.dmp	family_snakekeylogger
behavioral1/memory/588-106-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/588-107-0x0000000035F50000-0x0000000035F90000-memory.dmp	family_snakekeylogger
behavioral1/memory/588-109-0x0000000035F50000-0x0000000035F90000-memory.dmp	family_snakekeylogger

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	caspol.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	rFACTURA_FAC_2023_1-1000733.PDF.exe

Loads dropped DLL 2 IoCs

pid	Process
1268	rFACTURA_FAC_2023_1-1000733.PDF.exe
1268	rFACTURA_FAC_2023_1-1000733.PDF.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	checkip.dyndns.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
588	caspol.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1268	rFACTURA_FAC_2023_1-1000733.PDF.exe
588	caspol.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1268 set thread context of 588	1268	rFACTURA_FAC_2023_1-1000733.PDF.exe	30

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Cyberkunderne150\Oliebilledets.ter	rFACTURA_FAC_2023_1-1000733.PDF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1612	588	WerFault.exe	30

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
588	caspol.exe
588	caspol.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
1268	rFACTURA_FAC_2023_1-1000733.PDF.exe
1268	rFACTURA_FAC_2023_1-1000733.PDF.exe
1268	rFACTURA_FAC_2023_1-1000733.PDF.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	588	caspol.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1268 wrote to memory of 560	1268	rFACTURA_FAC_2023_1-1000733.PDF.exe	28
PID 1268 wrote to memory of 560	1268	rFACTURA_FAC_2023_1-1000733.PDF.exe	28
PID 1268 wrote to memory of 560	1268	rFACTURA_FAC_2023_1-1000733.PDF.exe	28
PID 1268 wrote to memory of 560	1268	rFACTURA_FAC_2023_1-1000733.PDF.exe	28
PID 1268 wrote to memory of 320	1268	rFACTURA_FAC_2023_1-1000733.PDF.exe	29
PID 1268 wrote to memory of 320	1268	rFACTURA_FAC_2023_1-1000733.PDF.exe	29
PID 1268 wrote to memory of 320	1268	rFACTURA_FAC_2023_1-1000733.PDF.exe	29
PID 1268 wrote to memory of 320	1268	rFACTURA_FAC_2023_1-1000733.PDF.exe	29
PID 1268 wrote to memory of 588	1268	rFACTURA_FAC_2023_1-1000733.PDF.exe	30
PID 1268 wrote to memory of 588	1268	rFACTURA_FAC_2023_1-1000733.PDF.exe	30
PID 1268 wrote to memory of 588	1268	rFACTURA_FAC_2023_1-1000733.PDF.exe	30
PID 1268 wrote to memory of 588	1268	rFACTURA_FAC_2023_1-1000733.PDF.exe	30
PID 1268 wrote to memory of 588	1268	rFACTURA_FAC_2023_1-1000733.PDF.exe	30
PID 588 wrote to memory of 1612	588	caspol.exe	34
PID 588 wrote to memory of 1612	588	caspol.exe	34
PID 588 wrote to memory of 1612	588	caspol.exe	34
PID 588 wrote to memory of 1612	588	caspol.exe	34

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

C:\Users\Admin\AppData\Local\Temp\rFACTURA_FAC_2023_1-1000733.PDF.exe
"C:\Users\Admin\AppData\Local\Temp\rFACTURA_FAC_2023_1-1000733.PDF.exe"
1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
  "C:\Users\Admin\AppData\Local\Temp\rFACTURA_FAC_2023_1-1000733.PDF.exe"
  2⤵
  PID:560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
  "C:\Users\Admin\AppData\Local\Temp\rFACTURA_FAC_2023_1-1000733.PDF.exe"
  2⤵
  PID:320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
  "C:\Users\Admin\AppData\Local\Temp\rFACTURA_FAC_2023_1-1000733.PDF.exe"
  2⤵
  - Checks QEMU agent file
  - Accesses Microsoft Outlook profiles
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:588
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 588 -s 1872
    3⤵
    - Program crash
    PID:1612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsy87B.tmp\AdvSplash.dll

Filesize
6KB

MD5
e8b67a37fb41d54a7eda453309d45d97

SHA1
96be9bf7a988d9cea06150d57cd1de19f1fec19e

SHA256
2ad232bccf4ca06cf13475af87b510c5788aa790785fd50509be483afc0e0bcf

SHA512
20effae18eebb2df90d3186a281fa9233a97998f226f7adead0784fbc787feee419973962f8369d8822c1bbcdfb6e7948d9ca6086c9cf90190c8ab3ec97f4c38

Download Submit
\Users\Admin\AppData\Local\Temp\nsy87B.tmp\System.dll

Filesize
11KB

MD5
8b3830b9dbf87f84ddd3b26645fed3a0

SHA1
223bef1f19e644a610a0877d01eadc9e28299509

SHA256
f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37

SHA512
d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03

Download Submit
memory/588-78-0x0000000000850000-0x0000000002EE9000-memory.dmp

Filesize
38.6MB

Download
memory/588-79-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/588-80-0x0000000000850000-0x0000000002EE9000-memory.dmp

Filesize
38.6MB

Download
memory/588-103-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/588-104-0x0000000000850000-0x0000000002EE9000-memory.dmp

Filesize
38.6MB

Download
memory/588-106-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/588-107-0x0000000035F50000-0x0000000035F90000-memory.dmp

Filesize
256KB

Download
memory/588-109-0x0000000035F50000-0x0000000035F90000-memory.dmp

Filesize
256KB

Download
memory/1268-76-0x00000000032C0000-0x0000000005959000-memory.dmp

Filesize
38.6MB

Download
memory/1268-77-0x00000000032C0000-0x0000000005959000-memory.dmp

Filesize
38.6MB

Download