guloader | a53383bbc7e9c1a2f461bb8c13a15d155103da0bd024f1babca3fddf4123f8ce

Analysis

max time kernel
112s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2024 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a53383bbc7e9c1a2f461bb8c13a15d155103da0bd024f1babca3fddf4123f8ceN.exe
Size

720KB
MD5

71c52354f7a11731ac1acf20e22bf9f0
SHA1

2d53c7e64f9d894ad70907e89974776355c5f353
SHA256

a53383bbc7e9c1a2f461bb8c13a15d155103da0bd024f1babca3fddf4123f8ce
SHA512

bf7aeac82212d12f2d204164d46f13d0eb0ec63965051dd22532fceeca91e36eef6c01e5d6f9a9dbb5eb03d16040b93e42de25656ac14c9c4c38c66cf005ba8d
SSDEEP

12288:4MwaNZMK2sjLTeLXT764nwNtsgw3PgAeeVhGctc7K:4MwaNIYLTkZ2Mobe07K

Score

10^/10

guloader vipkeylogger collection discovery downloader keylogger spyware stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.foodex.com.pk
Port:
587
Username:
[email protected]
Password:
wajahat1975

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.foodex.com.pk
Port:
587
Username:
[email protected]
Password:
wajahat1975
Email To:
[email protected]

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Loads dropped DLL 1 IoCs

pid	Process
3520	a53383bbc7e9c1a2f461bb8c13a15d155103da0bd024f1babca3fddf4123f8ceN.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a53383bbc7e9c1a2f461bb8c13a15d155103da0bd024f1babca3fddf4123f8ceN.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a53383bbc7e9c1a2f461bb8c13a15d155103da0bd024f1babca3fddf4123f8ceN.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a53383bbc7e9c1a2f461bb8c13a15d155103da0bd024f1babca3fddf4123f8ceN.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
23	checkip.dyndns.org

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\diskussionsklubbens.ini	a53383bbc7e9c1a2f461bb8c13a15d155103da0bd024f1babca3fddf4123f8ceN.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2924	a53383bbc7e9c1a2f461bb8c13a15d155103da0bd024f1babca3fddf4123f8ceN.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3520	a53383bbc7e9c1a2f461bb8c13a15d155103da0bd024f1babca3fddf4123f8ceN.exe
2924	a53383bbc7e9c1a2f461bb8c13a15d155103da0bd024f1babca3fddf4123f8ceN.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3520 set thread context of 2924	3520	a53383bbc7e9c1a2f461bb8c13a15d155103da0bd024f1babca3fddf4123f8ceN.exe	96

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\resources\0409\mooktar\julekaktussers.ini	a53383bbc7e9c1a2f461bb8c13a15d155103da0bd024f1babca3fddf4123f8ceN.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a53383bbc7e9c1a2f461bb8c13a15d155103da0bd024f1babca3fddf4123f8ceN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a53383bbc7e9c1a2f461bb8c13a15d155103da0bd024f1babca3fddf4123f8ceN.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2924	a53383bbc7e9c1a2f461bb8c13a15d155103da0bd024f1babca3fddf4123f8ceN.exe
2924	a53383bbc7e9c1a2f461bb8c13a15d155103da0bd024f1babca3fddf4123f8ceN.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3520	a53383bbc7e9c1a2f461bb8c13a15d155103da0bd024f1babca3fddf4123f8ceN.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2924	a53383bbc7e9c1a2f461bb8c13a15d155103da0bd024f1babca3fddf4123f8ceN.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3520 wrote to memory of 2924	3520	a53383bbc7e9c1a2f461bb8c13a15d155103da0bd024f1babca3fddf4123f8ceN.exe	96
PID 3520 wrote to memory of 2924	3520	a53383bbc7e9c1a2f461bb8c13a15d155103da0bd024f1babca3fddf4123f8ceN.exe	96
PID 3520 wrote to memory of 2924	3520	a53383bbc7e9c1a2f461bb8c13a15d155103da0bd024f1babca3fddf4123f8ceN.exe	96
PID 3520 wrote to memory of 2924	3520	a53383bbc7e9c1a2f461bb8c13a15d155103da0bd024f1babca3fddf4123f8ceN.exe	96
PID 3520 wrote to memory of 2924	3520	a53383bbc7e9c1a2f461bb8c13a15d155103da0bd024f1babca3fddf4123f8ceN.exe	96

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a53383bbc7e9c1a2f461bb8c13a15d155103da0bd024f1babca3fddf4123f8ceN.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a53383bbc7e9c1a2f461bb8c13a15d155103da0bd024f1babca3fddf4123f8ceN.exe

C:\Users\Admin\AppData\Local\Temp\a53383bbc7e9c1a2f461bb8c13a15d155103da0bd024f1babca3fddf4123f8ceN.exe
"C:\Users\Admin\AppData\Local\Temp\a53383bbc7e9c1a2f461bb8c13a15d155103da0bd024f1babca3fddf4123f8ceN.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Users\Admin\AppData\Local\Temp\a53383bbc7e9c1a2f461bb8c13a15d155103da0bd024f1babca3fddf4123f8ceN.exe
  "C:\Users\Admin\AppData\Local\Temp\a53383bbc7e9c1a2f461bb8c13a15d155103da0bd024f1babca3fddf4123f8ceN.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nslA104.tmp\System.dll

Filesize
12KB

MD5
564bb0373067e1785cba7e4c24aab4bf

SHA1
7c9416a01d821b10b2eef97b80899d24014d6fc1

SHA256
7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5

SHA512
22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472

Download Submit
memory/2924-28-0x0000000037210000-0x00000000373D2000-memory.dmp

Filesize
1.8MB

Download
memory/2924-21-0x00000000016C0000-0x00000000039D1000-memory.dmp

Filesize
35.1MB

Download
memory/2924-34-0x0000000033FE0000-0x0000000033FEA000-memory.dmp

Filesize
40KB

Download
memory/2924-33-0x0000000033EF0000-0x0000000033F82000-memory.dmp

Filesize
584KB

Download
memory/2924-23-0x0000000000460000-0x00000000004AA000-memory.dmp

Filesize
296KB

Download
memory/2924-17-0x00000000016C0000-0x00000000039D1000-memory.dmp

Filesize
35.1MB

Download
memory/2924-31-0x00000000374E0000-0x0000000037A0C000-memory.dmp

Filesize
5.2MB

Download
memory/2924-22-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/2924-29-0x0000000037400000-0x0000000037450000-memory.dmp

Filesize
320KB

Download
memory/2924-24-0x00000000367E0000-0x0000000036D84000-memory.dmp

Filesize
5.6MB

Download
memory/2924-25-0x00000000365F0000-0x000000003668C000-memory.dmp

Filesize
624KB

Download
memory/3520-12-0x00000000032C0000-0x00000000055D1000-memory.dmp

Filesize
35.1MB

Download
memory/3520-16-0x00000000032C0000-0x00000000055D1000-memory.dmp

Filesize
35.1MB

Download
memory/3520-13-0x00000000032C0000-0x00000000055D1000-memory.dmp

Filesize
35.1MB

Download
memory/3520-15-0x00000000741F5000-0x00000000741F6000-memory.dmp

Filesize
4KB

Download
memory/3520-14-0x0000000077501000-0x0000000077621000-memory.dmp

Filesize
1.1MB

Download