guloader | 4781b5ca739a280c011844dabab8fb008340ad82efa70486edc34e8de8a10946

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2023 16:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rgssexe.exe
Size

507KB
MD5

7f6e2a0959481ac955ffa5c591a1e25e
SHA1

02ce117dc8c9b08e381aaccf102766f436166597
SHA256

4781b5ca739a280c011844dabab8fb008340ad82efa70486edc34e8de8a10946
SHA512

928ccaaf714cdbe7fa60925d5b8f351ef9d2ea080047e3bc5678975c50d3ec5fd74c371279aca0980704f38324b832b4236811aab2ae93598884f61a9ac32d88
SSDEEP

12288:9FKBG73lOUG2H7zS8zjDMpOltJJCSJEM1oPa7XK:BrlMa7zbzPMWJJVv11a

Score

10^/10

guloader lokibot collection discovery downloader spyware stealer trojan

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	Rgssexe.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	Rgssexe.exe

Loads dropped DLL 1 IoCs

pid	Process
4876	Rgssexe.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Rgssexe.exe
Key opened	\REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	Rgssexe.exe
Key opened	\REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Rgssexe.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{5C445262-361D-4783-8FCB-8C5F5B2519E7}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{7DCEB91F-39A4-4B9C-9947-CB9958348918}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{8D791DF6-26B2-47A0-8A98-F9F8C476A4C6}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{3F262A1D-1828-481F-8856-B1C515690AA1}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{609D5FA8-1457-4C49-AEB9-471376EFAB44}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{F3544297-1A11-45FB-9B63-79797D336DD0}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{8F5B8D4F-C287-43B5-9E11-799F729694BD}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{61CE1BDC-4CB7-41FD-9D25-7342A2F2D210}.catalogItem	svchost.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
116	Rgssexe.exe
116	Rgssexe.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4876	Rgssexe.exe
116	Rgssexe.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4876 set thread context of 116	4876	Rgssexe.exe	89

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\cardiotrophia\Kommastningerne.gen	Rgssexe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4876	Rgssexe.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
116	Rgssexe.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	116	Rgssexe.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4876 wrote to memory of 116	4876	Rgssexe.exe	89
PID 4876 wrote to memory of 116	4876	Rgssexe.exe	89
PID 4876 wrote to memory of 116	4876	Rgssexe.exe	89
PID 4876 wrote to memory of 116	4876	Rgssexe.exe	89

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Rgssexe.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Rgssexe.exe

C:\Users\Admin\AppData\Local\Temp\Rgssexe.exe
"C:\Users\Admin\AppData\Local\Temp\Rgssexe.exe"
1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Users\Admin\AppData\Local\Temp\Rgssexe.exe
  "C:\Users\Admin\AppData\Local\Temp\Rgssexe.exe"
  2⤵
  - Checks QEMU agent file
  - Accesses Microsoft Outlook profiles
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:116

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:5020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsg7FA5.tmp\System.dll

Filesize
11KB

MD5
a4dd044bcd94e9b3370ccf095b31f896

SHA1
17c78201323ab2095bc53184aa8267c9187d5173

SHA256
2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

SHA512
87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3259792829-1422303781-2047321929-1000\0f5007522459c86e95ffcc62f32308f1_7a0b5f63-92b5-4443-b457-34250c67f41d

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3259792829-1422303781-2047321929-1000\0f5007522459c86e95ffcc62f32308f1_7a0b5f63-92b5-4443-b457-34250c67f41d

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
memory/116-143-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/116-144-0x0000000001660000-0x0000000004875000-memory.dmp

Filesize
50.1MB

Download
memory/116-145-0x0000000001660000-0x0000000004875000-memory.dmp

Filesize
50.1MB

Download
memory/116-149-0x0000000001660000-0x0000000004875000-memory.dmp

Filesize
50.1MB

Download
memory/116-150-0x0000000001660000-0x0000000004875000-memory.dmp

Filesize
50.1MB

Download
memory/4876-141-0x00000000041F0000-0x0000000007405000-memory.dmp

Filesize
50.1MB

Download
memory/4876-142-0x00000000041F0000-0x0000000007405000-memory.dmp

Filesize
50.1MB

Download