Malware Analysis Report

2025-04-03 14:27

Sample ID 241218-p3m46szkfw
Target PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe
SHA256 fc94d179b05d50bcaa14523b241ee1652fde502bb7a3a27727e0892d39452963
Tags
discovery guloader downloader evasion spyware stealer collection
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fc94d179b05d50bcaa14523b241ee1652fde502bb7a3a27727e0892d39452963

Threat Level: Known bad

The file PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe was found to be: Known bad.

Malicious Activity Summary

discovery guloader downloader evasion spyware stealer collection

Guloader family

Guloader,Cloudeye

Disables Task Manager via registry modification

Reads user/profile data of web browsers

Loads dropped DLL

Reads user/profile data of local email clients

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

outlook_win_path

Suspicious use of WriteProcessMemory

outlook_office_path

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-18 12:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-12-18 12:51

Reported

2024-12-18 12:54

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4232 wrote to memory of 2872 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4232 wrote to memory of 2872 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4232 wrote to memory of 2872 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2872 -ip 2872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 182.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-18 12:51

Reported

2024-12-18 12:54

Platform

win7-20240903-en

Max time kernel

121s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe"

Signatures

Guloader family

guloader

Guloader,Cloudeye

downloader guloader

Disables Task Manager via registry modification

evasion

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\hjemmecomputeren.Pot C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2548 set thread context of 2880 N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe

"C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe"

C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe

"C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
FR 142.250.75.238:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
FR 142.250.179.67:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
FR 142.250.179.67:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
FR 142.250.74.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 checkip.dyndns.org udp
JP 132.226.8.169:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 172.67.177.134:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 88.221.134.146:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 95.100.245.144:80 www.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsdBE12.tmp\System.dll

MD5 ee260c45e97b62a5e42f17460d406068
SHA1 df35f6300a03c4d3d3bd69752574426296b78695
SHA256 e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27
SHA512 a98f350d17c9057f33e5847462a87d59cbf2aaeda7f6299b0d49bb455e484ce4660c12d2eb8c4a0d21df523e729222bbd6c820bf25b081bc7478152515b414b3

memory/2548-16-0x0000000002CD0000-0x0000000003EC8000-memory.dmp

memory/2548-17-0x0000000077A01000-0x0000000077B02000-memory.dmp

memory/2548-18-0x0000000077A00000-0x0000000077BA9000-memory.dmp

memory/2548-19-0x0000000002CD0000-0x0000000003EC8000-memory.dmp

memory/2880-20-0x0000000077A00000-0x0000000077BA9000-memory.dmp

memory/2880-40-0x0000000000460000-0x00000000014C2000-memory.dmp

memory/2880-41-0x0000000000460000-0x00000000014C2000-memory.dmp

memory/2880-42-0x0000000000460000-0x000000000047E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-18 12:51

Reported

2024-12-18 12:54

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe"

Signatures

Guloader family

guloader

Guloader,Cloudeye

downloader guloader

Disables Task Manager via registry modification

evasion

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\hjemmecomputeren.Pot C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1744 set thread context of 4552 N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe

"C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe"

C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe

"C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 134.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
FR 142.250.75.238:443 drive.google.com tcp
US 8.8.8.8:53 238.75.250.142.in-addr.arpa udp
US 8.8.8.8:53 67.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 c.pki.goog udp
FR 142.250.179.67:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
FR 142.250.179.67:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
FR 142.250.74.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 225.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 checkip.dyndns.org udp
US 158.101.44.242:80 checkip.dyndns.org tcp
US 8.8.8.8:53 242.44.101.158.in-addr.arpa udp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 152.67.21.104.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsvADF4.tmp\System.dll

MD5 ee260c45e97b62a5e42f17460d406068
SHA1 df35f6300a03c4d3d3bd69752574426296b78695
SHA256 e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27
SHA512 a98f350d17c9057f33e5847462a87d59cbf2aaeda7f6299b0d49bb455e484ce4660c12d2eb8c4a0d21df523e729222bbd6c820bf25b081bc7478152515b414b3

memory/1744-14-0x0000000002A60000-0x0000000003C58000-memory.dmp

memory/1744-15-0x00000000777F1000-0x0000000077911000-memory.dmp

memory/1744-17-0x0000000002A60000-0x0000000003C58000-memory.dmp

memory/1744-16-0x0000000010004000-0x0000000010005000-memory.dmp

memory/1744-18-0x0000000002A60000-0x0000000003C58000-memory.dmp

memory/4552-19-0x00000000016C0000-0x00000000028B8000-memory.dmp

memory/4552-20-0x0000000077878000-0x0000000077879000-memory.dmp

memory/4552-21-0x00000000016C0000-0x00000000028B8000-memory.dmp

memory/4552-22-0x0000000077895000-0x0000000077896000-memory.dmp

memory/4552-26-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4552-36-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/4552-37-0x0000000000460000-0x000000000047E000-memory.dmp

memory/4552-38-0x00000000355C0000-0x0000000035B64000-memory.dmp

memory/4552-39-0x00000000777F1000-0x0000000077911000-memory.dmp

memory/4552-40-0x0000000035B70000-0x0000000035C0C000-memory.dmp

memory/4552-41-0x0000000035F50000-0x0000000035FE2000-memory.dmp

memory/4552-43-0x0000000036000000-0x0000000036050000-memory.dmp

memory/4552-44-0x00000000361A0000-0x0000000036362000-memory.dmp

memory/4552-45-0x0000000036420000-0x000000003642A000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-18 12:51

Reported

2024-12-18 12:54

Platform

win7-20240903-en

Max time kernel

120s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 224

Network

N/A

Files

N/A