guloader | 43322b3c55f80df1dfce965e2854e15025efe13436dbb117b9776b2a63ec4be5

General

Target

43322b3c55f80df1dfce965e2854e15025efe13436dbb117b9776b2a63ec4be5.exe
Size

407KB
MD5

d0306eecb1329a6d25e3859eb094a246
SHA1

47f618e7478d4e14f7f072cd3bc7aa6b95310113
SHA256

43322b3c55f80df1dfce965e2854e15025efe13436dbb117b9776b2a63ec4be5
SHA512

f352abd59ab5f0f74c562aa663038474e2039b8a4b5b3121cdf2d082da778953720483849a92298f6ee46fb82d51232e4776eff817fbb58526b7c127581a04fc
SSDEEP

12288:vGjaO1u7KkTfCqYaU6n9MepLgHCV8kEm87W:vGb+KkTfCBaFn9dLgqlEm8C

Score

10^/10

guloader lokibot collection downloader execution spyware stealer trojan

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2332	powershell.exe

Loads dropped DLL 2 IoCs

pid	Process
2332	powershell.exe
2840	Ancome.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Ancome.exe
Key opened	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	Ancome.exe
Key opened	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Ancome.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
5	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
2840	Ancome.exe
2840	Ancome.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2332	powershell.exe
2840	Ancome.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2332 set thread context of 2840	2332	powershell.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x000d000000012281-23.dat	nsis_installer_1
behavioral1/files/0x000d000000012281-23.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2332	powershell.exe
2332	powershell.exe
2332	powershell.exe
2332	powershell.exe
2332	powershell.exe
2332	powershell.exe
2332	powershell.exe
2332	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2332	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	2840	Ancome.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2332	2264	43322b3c55f80df1dfce965e2854e15025efe13436dbb117b9776b2a63ec4be5.exe	31
PID 2264 wrote to memory of 2332	2264	43322b3c55f80df1dfce965e2854e15025efe13436dbb117b9776b2a63ec4be5.exe	31
PID 2264 wrote to memory of 2332	2264	43322b3c55f80df1dfce965e2854e15025efe13436dbb117b9776b2a63ec4be5.exe	31
PID 2264 wrote to memory of 2332	2264	43322b3c55f80df1dfce965e2854e15025efe13436dbb117b9776b2a63ec4be5.exe	31
PID 2332 wrote to memory of 2840	2332	powershell.exe	34
PID 2332 wrote to memory of 2840	2332	powershell.exe	34
PID 2332 wrote to memory of 2840	2332	powershell.exe	34
PID 2332 wrote to memory of 2840	2332	powershell.exe	34
PID 2332 wrote to memory of 2840	2332	powershell.exe	34
PID 2332 wrote to memory of 2840	2332	powershell.exe	34

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Ancome.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Ancome.exe

C:\Users\Admin\AppData\Local\Temp\43322b3c55f80df1dfce965e2854e15025efe13436dbb117b9776b2a63ec4be5.exe
"C:\Users\Admin\AppData\Local\Temp\43322b3c55f80df1dfce965e2854e15025efe13436dbb117b9776b2a63ec4be5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Recontest=Get-Content 'C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Leptosomic26.Udt';$Genskabninger=$Recontest.SubString(51485,3);.$Genskabninger($Recontest)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Users\Admin\AppData\Local\Temp\Ancome.exe
    "C:\Users\Admin\AppData\Local\Temp\Ancome.exe"
    3⤵
    - Loads dropped DLL
    - Accesses Microsoft Outlook profiles
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3502430532-24693940-2469786940-1000\0f5007522459c86e95ffcc62f32308f1_f42ec065-7b23-4f0f-9aa0-d097eed4c26e

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3502430532-24693940-2469786940-1000\0f5007522459c86e95ffcc62f32308f1_f42ec065-7b23-4f0f-9aa0-d097eed4c26e

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Leptosomic26.Udt

Filesize
68KB

MD5
dbdaecdd9f7e16dc10dae658d357276c

SHA1
542144045872fd985ba68c035d703c526e03527f

SHA256
e974c25440e143e007ca3b5bed2d5769e8af0218b3417e1f8d78830de4c1e697

SHA512
d71e47d497921b191410567997765329c1906d4ec88a3283b21653913b60fb08dd8523744b8add57f0ff18db3031d195fb63ac13ad268fec6eee4baf5050a466

Download Submit
C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Wienerstole.Mel

Filesize
351KB

MD5
c8be19808a52e77d42070331b31dc56e

SHA1
d4cf31931b64d7dd935cb8ed5c0fba9999bd53c8

SHA256
76d5da3613cd82da47fb5b91e01b24726380757c2b415e69df91a67fa2ee6a74

SHA512
11f457c25dd24c323f213f810e32bdd5a468cf5f79e306c3b34d91d0fcbc04cea225003e0e00782a28a036f40d9e226b863686f8f3285f81eadabcfc637b9369

Download Submit
\Users\Admin\AppData\Local\Temp\Ancome.exe

Filesize
407KB

MD5
d0306eecb1329a6d25e3859eb094a246

SHA1
47f618e7478d4e14f7f072cd3bc7aa6b95310113

SHA256
43322b3c55f80df1dfce965e2854e15025efe13436dbb117b9776b2a63ec4be5

SHA512
f352abd59ab5f0f74c562aa663038474e2039b8a4b5b3121cdf2d082da778953720483849a92298f6ee46fb82d51232e4776eff817fbb58526b7c127581a04fc

Download Submit
memory/2332-20-0x0000000074350000-0x00000000748FB000-memory.dmp

Filesize
5.7MB

Download
memory/2332-18-0x0000000074350000-0x00000000748FB000-memory.dmp

Filesize
5.7MB

Download
memory/2332-15-0x0000000074350000-0x00000000748FB000-memory.dmp

Filesize
5.7MB

Download
memory/2332-11-0x0000000074351000-0x0000000074352000-memory.dmp

Filesize
4KB

Download
memory/2332-22-0x0000000074350000-0x00000000748FB000-memory.dmp

Filesize
5.7MB

Download
memory/2332-21-0x00000000066A0000-0x0000000009134000-memory.dmp

Filesize
42.6MB

Download
memory/2332-14-0x0000000074350000-0x00000000748FB000-memory.dmp

Filesize
5.7MB

Download
memory/2332-13-0x0000000074350000-0x00000000748FB000-memory.dmp

Filesize
5.7MB

Download
memory/2332-12-0x0000000074350000-0x00000000748FB000-memory.dmp

Filesize
5.7MB

Download
memory/2840-27-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2840-47-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2840-49-0x0000000001470000-0x0000000003F04000-memory.dmp

Filesize
42.6MB

Download

Analysis

Sharing