Malware Analysis Report

2025-04-03 14:22

Sample ID 241210-xr3dqazjgj
Target Confirm revised invoice to proceed with payment ASAP.exe
SHA256 2755e95a38fb5e5b3af3aea557601b9261004a3201219dfb704e28e60a06dfa3
Tags
discovery guloader collection downloader evasion spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2755e95a38fb5e5b3af3aea557601b9261004a3201219dfb704e28e60a06dfa3

Threat Level: Known bad

The file Confirm revised invoice to proceed with payment ASAP.exe was found to be: Known bad.

Malicious Activity Summary

discovery guloader collection downloader evasion spyware stealer

Guloader family

Guloader,Cloudeye

Disables Task Manager via registry modification

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Loads dropped DLL

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of NtCreateThreadExHideFromDebugger

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Enumerates physical storage devices

outlook_office_path

Suspicious behavior: EnumeratesProcesses

outlook_win_path

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-10 19:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-12-10 19:06

Reported

2024-12-10 19:08

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

143s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4460 wrote to memory of 2596 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4460 wrote to memory of 2596 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4460 wrote to memory of 2596 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2596 -ip 2596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 620

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 134.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-10 19:06

Reported

2024-12-10 19:08

Platform

win7-20240903-en

Max time kernel

13s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Confirm revised invoice to proceed with payment ASAP.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Confirm revised invoice to proceed with payment ASAP.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Confirm revised invoice to proceed with payment ASAP.exe

"C:\Users\Admin\AppData\Local\Temp\Confirm revised invoice to proceed with payment ASAP.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nseF366.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

memory/2720-15-0x00000000037C0000-0x00000000062FA000-memory.dmp

memory/2720-20-0x00000000037C0000-0x00000000062FA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-10 19:06

Reported

2024-12-10 19:08

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Confirm revised invoice to proceed with payment ASAP.exe"

Signatures

Guloader family

guloader

Guloader,Cloudeye

downloader guloader

Disables Task Manager via registry modification

evasion

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Confirm revised invoice to proceed with payment ASAP.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Confirm revised invoice to proceed with payment ASAP.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Confirm revised invoice to proceed with payment ASAP.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Confirm revised invoice to proceed with payment ASAP.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Confirm revised invoice to proceed with payment ASAP.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Confirm revised invoice to proceed with payment ASAP.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Confirm revised invoice to proceed with payment ASAP.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Confirm revised invoice to proceed with payment ASAP.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Confirm revised invoice to proceed with payment ASAP.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Confirm revised invoice to proceed with payment ASAP.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Confirm revised invoice to proceed with payment ASAP.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Confirm revised invoice to proceed with payment ASAP.exe

"C:\Users\Admin\AppData\Local\Temp\Confirm revised invoice to proceed with payment ASAP.exe"

C:\Users\Admin\AppData\Local\Temp\Confirm revised invoice to proceed with payment ASAP.exe

"C:\Users\Admin\AppData\Local\Temp\Confirm revised invoice to proceed with payment ASAP.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
GB 172.217.169.78:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.178.3:80 o.pki.goog tcp
US 8.8.8.8:53 78.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 3.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 216.58.212.193:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 193.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 checkip.dyndns.org udp
JP 132.226.8.169:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 152.67.21.104.in-addr.arpa udp
US 8.8.8.8:53 169.8.226.132.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsh9741.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

memory/4188-13-0x0000000003160000-0x0000000005C9A000-memory.dmp

memory/4188-14-0x0000000003160000-0x0000000005C9A000-memory.dmp

memory/4188-17-0x0000000073FC0000-0x0000000073FC7000-memory.dmp

memory/4188-16-0x0000000073FC5000-0x0000000073FC6000-memory.dmp

memory/4188-15-0x00000000772D1000-0x00000000773F1000-memory.dmp

memory/4188-18-0x0000000003160000-0x0000000005C9A000-memory.dmp

memory/4508-19-0x00000000016E0000-0x000000000421A000-memory.dmp

memory/4508-32-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/4508-33-0x0000000000480000-0x000000000049E000-memory.dmp

memory/4508-34-0x0000000036FF0000-0x0000000037594000-memory.dmp

memory/4508-35-0x00000000375A0000-0x000000003763C000-memory.dmp

memory/4508-36-0x0000000037A60000-0x0000000037AF2000-memory.dmp

memory/4508-37-0x00000000376C0000-0x0000000037710000-memory.dmp

memory/4508-39-0x0000000037C30000-0x0000000037DF2000-memory.dmp

memory/4508-40-0x0000000037EC0000-0x0000000037ECA000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-10 19:06

Reported

2024-12-10 19:08

Platform

win7-20241023-en

Max time kernel

119s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 220

Network

N/A

Files

N/A