guloader | c736f6b8be27697e20df7837cfbc93b93feadc5faf9252dda0151824cc319dfe

Analysis

max time kernel
144s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
23/03/2023, 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Extraccion_Asepeyo_ECC.exe
Size

340KB
MD5

70ee8b692e67cb2d4c9ef93b9a80030b
SHA1

cbea44f294f7cf40da91470f078a961f9645d6d2
SHA256

84e316ba28c1745989fcba630c13792daa4286bee90d828d9eb6e9f36d86f4fd
SHA512

5fad2808729481998876b62b819ead3f28b12dfd80dfb11b43ebb4d121c3c46e46294afce87038210485bbba1c6aed8b927a4d47e1d89a01829e340b9be08712
SSDEEP

6144:nQ606xUAK/TxV595DDV3pv/LW9f6Mu18qMnDf0rXkOEjFX59vtoS7FJJcFg:k3LJZ3pHLW9fG3eDfkCx3vtVJncFg

Score

10^/10

guloader snakekeylogger collection downloader keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.trnmoda.com
Port:
587
Username:
[email protected]
Password:
Trn!2022---
Email To:
[email protected]

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

resource	yara_rule
behavioral1/memory/556-102-0x0000000000400000-0x0000000000615000-memory.dmp	family_snakekeylogger

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	Extraccion_Asepeyo_ECC.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	caspol.exe

Loads dropped DLL 2 IoCs

pid	Process
1232	Extraccion_Asepeyo_ECC.exe
1232	Extraccion_Asepeyo_ECC.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	checkip.dyndns.org

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Autogensvejse\Dispowder\tilsttendes.Per	Extraccion_Asepeyo_ECC.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
556	caspol.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1232	Extraccion_Asepeyo_ECC.exe
556	caspol.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1232 set thread context of 556	1232	Extraccion_Asepeyo_ECC.exe	28

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Superstars148\Fodslbende\Hippocampus.Run	Extraccion_Asepeyo_ECC.exe
File created	C:\Program Files (x86)\Undertvungnes.lnk	Extraccion_Asepeyo_ECC.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\resources\Tilskrivningen.ini	Extraccion_Asepeyo_ECC.exe
File opened for modification	C:\Windows\Fonts\Pharyngorhinitis\Silicispongiae\Barrikaden.Scr	Extraccion_Asepeyo_ECC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
556	caspol.exe
556	caspol.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1232	Extraccion_Asepeyo_ECC.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	556	caspol.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 556	1232	Extraccion_Asepeyo_ECC.exe	28
PID 1232 wrote to memory of 556	1232	Extraccion_Asepeyo_ECC.exe	28
PID 1232 wrote to memory of 556	1232	Extraccion_Asepeyo_ECC.exe	28
PID 1232 wrote to memory of 556	1232	Extraccion_Asepeyo_ECC.exe	28
PID 1232 wrote to memory of 556	1232	Extraccion_Asepeyo_ECC.exe	28
PID 556 wrote to memory of 1980	556	caspol.exe	32
PID 556 wrote to memory of 1980	556	caspol.exe	32
PID 556 wrote to memory of 1980	556	caspol.exe	32
PID 556 wrote to memory of 1980	556	caspol.exe	32

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

C:\Users\Admin\AppData\Local\Temp\Extraccion_Asepeyo_ECC.exe
"C:\Users\Admin\AppData\Local\Temp\Extraccion_Asepeyo_ECC.exe"
1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
  "C:\Users\Admin\AppData\Local\Temp\Extraccion_Asepeyo_ECC.exe"
  2⤵
  - Checks QEMU agent file
  - Accesses Microsoft Outlook profiles
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:556
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 1608
    3⤵
    PID:1980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nso18B1.tmp\AdvSplash.dll

Filesize
6KB

MD5
e8b67a37fb41d54a7eda453309d45d97

SHA1
96be9bf7a988d9cea06150d57cd1de19f1fec19e

SHA256
2ad232bccf4ca06cf13475af87b510c5788aa790785fd50509be483afc0e0bcf

SHA512
20effae18eebb2df90d3186a281fa9233a97998f226f7adead0784fbc787feee419973962f8369d8822c1bbcdfb6e7948d9ca6086c9cf90190c8ab3ec97f4c38

Download Submit
\Users\Admin\AppData\Local\Temp\nso18B1.tmp\System.dll

Filesize
11KB

MD5
8b3830b9dbf87f84ddd3b26645fed3a0

SHA1
223bef1f19e644a610a0877d01eadc9e28299509

SHA256
f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37

SHA512
d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03

Download Submit
memory/556-79-0x0000000000970000-0x0000000001A0A000-memory.dmp

Filesize
16.6MB

Download
memory/556-80-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/556-102-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/556-103-0x0000000000970000-0x0000000001A0A000-memory.dmp

Filesize
16.6MB

Download
memory/556-104-0x0000000032A50000-0x0000000032A90000-memory.dmp

Filesize
256KB

Download
memory/556-105-0x0000000000970000-0x0000000001A0A000-memory.dmp

Filesize
16.6MB

Download
memory/556-109-0x0000000032A50000-0x0000000032A90000-memory.dmp

Filesize
256KB

Download
memory/1232-77-0x0000000003070000-0x000000000410A000-memory.dmp

Filesize
16.6MB

Download
memory/1232-78-0x0000000003070000-0x000000000410A000-memory.dmp

Filesize
16.6MB

Download
memory/1980-107-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download