Malware Analysis Report

2025-04-03 14:22

Sample ID 241210-sx2l6aynh1
Target Bank Swift and SOA PRN0072700314159453_pdf.exe
SHA256 6f45bd0535f4654ea024f6336cdeecbc44272c903353963a7d7a0f8d8e74a51e
Tags
discovery guloader collection downloader evasion spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6f45bd0535f4654ea024f6336cdeecbc44272c903353963a7d7a0f8d8e74a51e

Threat Level: Known bad

The file Bank Swift and SOA PRN0072700314159453_pdf.exe was found to be: Known bad.

Malicious Activity Summary

discovery guloader collection downloader evasion spyware stealer

Guloader,Cloudeye

Guloader family

Disables Task Manager via registry modification

Reads user/profile data of web browsers

Loads dropped DLL

Reads user/profile data of local email clients

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Program crash

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

outlook_win_path

outlook_office_path

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-10 15:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-12-10 15:31

Reported

2024-12-10 15:33

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1660 wrote to memory of 3832 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1660 wrote to memory of 3832 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1660 wrote to memory of 3832 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3832 -ip 3832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-10 15:31

Reported

2024-12-10 15:33

Platform

win7-20240903-en

Max time kernel

10s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Bank Swift and SOA PRN0072700314159453_pdf.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Bank Swift and SOA PRN0072700314159453_pdf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Bank Swift and SOA PRN0072700314159453_pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Bank Swift and SOA PRN0072700314159453_pdf.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nstDFF5.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

memory/2312-15-0x0000000003770000-0x0000000004CDA000-memory.dmp

memory/2312-20-0x0000000003770000-0x0000000004CDA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-10 15:31

Reported

2024-12-10 15:33

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Bank Swift and SOA PRN0072700314159453_pdf.exe"

Signatures

Guloader family

guloader

Guloader,Cloudeye

downloader guloader

Disables Task Manager via registry modification

evasion

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Bank Swift and SOA PRN0072700314159453_pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Bank Swift and SOA PRN0072700314159453_pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Bank Swift and SOA PRN0072700314159453_pdf.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bank Swift and SOA PRN0072700314159453_pdf.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bank Swift and SOA PRN0072700314159453_pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bank Swift and SOA PRN0072700314159453_pdf.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 692 set thread context of 2144 N/A C:\Users\Admin\AppData\Local\Temp\Bank Swift and SOA PRN0072700314159453_pdf.exe C:\Users\Admin\AppData\Local\Temp\Bank Swift and SOA PRN0072700314159453_pdf.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Bank Swift and SOA PRN0072700314159453_pdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Bank Swift and SOA PRN0072700314159453_pdf.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bank Swift and SOA PRN0072700314159453_pdf.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bank Swift and SOA PRN0072700314159453_pdf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bank Swift and SOA PRN0072700314159453_pdf.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Bank Swift and SOA PRN0072700314159453_pdf.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Bank Swift and SOA PRN0072700314159453_pdf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Bank Swift and SOA PRN0072700314159453_pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Bank Swift and SOA PRN0072700314159453_pdf.exe"

C:\Users\Admin\AppData\Local\Temp\Bank Swift and SOA PRN0072700314159453_pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Bank Swift and SOA PRN0072700314159453_pdf.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
GB 172.217.169.78:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp
US 8.8.8.8:53 78.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 3.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.178.3:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 216.58.212.193:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 193.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 checkip.dyndns.org udp
DE 193.122.6.168:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 168.6.122.193.in-addr.arpa udp
US 8.8.8.8:53 152.67.21.104.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsn7FD1.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

memory/692-13-0x0000000003260000-0x00000000047CA000-memory.dmp

memory/692-14-0x0000000077961000-0x0000000077A81000-memory.dmp

memory/692-15-0x0000000074655000-0x0000000074656000-memory.dmp

memory/692-16-0x0000000003260000-0x00000000047CA000-memory.dmp

memory/2144-17-0x00000000016E0000-0x0000000002C4A000-memory.dmp

memory/2144-18-0x00000000779E8000-0x00000000779E9000-memory.dmp

memory/2144-19-0x0000000077A05000-0x0000000077A06000-memory.dmp

memory/2144-32-0x00000000016E0000-0x0000000002C4A000-memory.dmp

memory/2144-33-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2144-35-0x0000000000480000-0x000000000049E000-memory.dmp

memory/2144-36-0x00000000359E0000-0x0000000035F84000-memory.dmp

memory/2144-37-0x0000000035890000-0x000000003592C000-memory.dmp

memory/2144-38-0x0000000036360000-0x00000000363F2000-memory.dmp

memory/2144-39-0x00000000360E0000-0x0000000036130000-memory.dmp

memory/2144-40-0x0000000077961000-0x0000000077A81000-memory.dmp

memory/2144-41-0x0000000036520000-0x00000000366E2000-memory.dmp

memory/2144-42-0x00000000367B0000-0x00000000367BA000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-10 15:31

Reported

2024-12-10 15:33

Platform

win7-20240708-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 220

Network

N/A

Files

N/A