guloader | 0349e40ccc3ffad405bf09c148b1a8e682823938385edc10253db66ad9bc2d90

General

Target

Fatura Doc_Nr._4000200_43169-_.pdf.exe
Size

655KB
MD5

11efce99af9dfb15ce0b4e53cbfc76be
SHA1

d02de892de917e65ab54e7daa2da7c1b463f975f
SHA256

0349e40ccc3ffad405bf09c148b1a8e682823938385edc10253db66ad9bc2d90
SHA512

1fa2f58d84522ba1bb651f7733acd18961aab997748343f721ddf8826a6ecca598376e3db9a462a37ae23730334555ed89a3fb3ef309acbd20b068576ebb29bd
SSDEEP

12288:Cgum6gVzkp6YvYT6TiMvmzZT6hSfe7UTuJdAwKne4O8B:BVoc0YoGMSm7U6Jd3sO8

Score

10^/10

guloader vipkeylogger collection discovery downloader keylogger spyware stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.etimaad.com
Port:
587
Username:
[email protected]
Password:
!.a&qR_e50hP

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.etimaad.com
Port:
587
Username:
[email protected]
Password:
!.a&qR_e50hP
Email To:
[email protected]

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Loads dropped DLL 10 IoCs

pid	Process
4036	Fatura Doc_Nr._4000200_43169-_.pdf.exe
4036	Fatura Doc_Nr._4000200_43169-_.pdf.exe
4036	Fatura Doc_Nr._4000200_43169-_.pdf.exe
4036	Fatura Doc_Nr._4000200_43169-_.pdf.exe
4036	Fatura Doc_Nr._4000200_43169-_.pdf.exe
4036	Fatura Doc_Nr._4000200_43169-_.pdf.exe
4036	Fatura Doc_Nr._4000200_43169-_.pdf.exe
4036	Fatura Doc_Nr._4000200_43169-_.pdf.exe
4036	Fatura Doc_Nr._4000200_43169-_.pdf.exe
4036	Fatura Doc_Nr._4000200_43169-_.pdf.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Fatura Doc_Nr._4000200_43169-_.pdf.exe
Key opened	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Fatura Doc_Nr._4000200_43169-_.pdf.exe
Key opened	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Fatura Doc_Nr._4000200_43169-_.pdf.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
16	drive.google.com
17	drive.google.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
29	checkip.dyndns.org
31	reallyfreegeoip.org
32	reallyfreegeoip.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2896	Fatura Doc_Nr._4000200_43169-_.pdf.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4036	Fatura Doc_Nr._4000200_43169-_.pdf.exe
2896	Fatura Doc_Nr._4000200_43169-_.pdf.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\benna\Tramsmith.mus	Fatura Doc_Nr._4000200_43169-_.pdf.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\resources\0409\Tantiemes0\rejseforsikringernes.ini	Fatura Doc_Nr._4000200_43169-_.pdf.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fatura Doc_Nr._4000200_43169-_.pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fatura Doc_Nr._4000200_43169-_.pdf.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2896	Fatura Doc_Nr._4000200_43169-_.pdf.exe
2896	Fatura Doc_Nr._4000200_43169-_.pdf.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4036	Fatura Doc_Nr._4000200_43169-_.pdf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2896	Fatura Doc_Nr._4000200_43169-_.pdf.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4036 wrote to memory of 2896	4036	Fatura Doc_Nr._4000200_43169-_.pdf.exe	86
PID 4036 wrote to memory of 2896	4036	Fatura Doc_Nr._4000200_43169-_.pdf.exe	86
PID 4036 wrote to memory of 2896	4036	Fatura Doc_Nr._4000200_43169-_.pdf.exe	86
PID 4036 wrote to memory of 2896	4036	Fatura Doc_Nr._4000200_43169-_.pdf.exe	86

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Fatura Doc_Nr._4000200_43169-_.pdf.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Fatura Doc_Nr._4000200_43169-_.pdf.exe

C:\Users\Admin\AppData\Local\Temp\Fatura Doc_Nr._4000200_43169-_.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Fatura Doc_Nr._4000200_43169-_.pdf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4036
- C:\Users\Admin\AppData\Local\Temp\Fatura Doc_Nr._4000200_43169-_.pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Fatura Doc_Nr._4000200_43169-_.pdf.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Browser Information Discovery

1

T1217

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nshA579.tmp\LangDLL.dll

Filesize
5KB

MD5
0c44f21d4afc81cc99fac7cc35e4503a

SHA1
3d0d5c684df99a46510c0e2c0020163a9d11c08d

SHA256
8dc2be6679497994e3ddc97bc7bc1ce2b3c17ef3528b03ded6696ef198a11d10

SHA512
4e4bd35d6aa21cecbfe7a93a2ee7db8ee78ca710a4193dfe240d1067afbe10f61db332c1c85f6cc3ba404d895a959742401b615ef8ff5bd9028254c4a43a0923

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshA579.tmp\System.dll

Filesize
11KB

MD5
a4dd044bcd94e9b3370ccf095b31f896

SHA1
17c78201323ab2095bc53184aa8267c9187d5173

SHA256
2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

SHA512
87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

Download Submit
memory/2896-62-0x0000000036DF0000-0x0000000036E8C000-memory.dmp

Filesize
624KB

Download
memory/2896-64-0x00000000379E0000-0x0000000037BA2000-memory.dmp

Filesize
1.8MB

Download
memory/2896-70-0x00000000347D0000-0x00000000347DA000-memory.dmp

Filesize
40KB

Download
memory/2896-69-0x0000000034710000-0x00000000347A2000-memory.dmp

Filesize
584KB

Download
memory/2896-66-0x0000000037CA0000-0x00000000381CC000-memory.dmp

Filesize
5.2MB

Download
memory/2896-65-0x0000000037BD0000-0x0000000037C20000-memory.dmp

Filesize
320KB

Download
memory/2896-43-0x00000000016F0000-0x000000000407D000-memory.dmp

Filesize
41.6MB

Download
memory/2896-47-0x0000000000490000-0x00000000016E4000-memory.dmp

Filesize
18.3MB

Download
memory/2896-57-0x00000000016F0000-0x000000000407D000-memory.dmp

Filesize
41.6MB

Download
memory/2896-58-0x0000000000490000-0x00000000016E4000-memory.dmp

Filesize
18.3MB

Download
memory/2896-59-0x00000000016F0000-0x000000000407D000-memory.dmp

Filesize
41.6MB

Download
memory/2896-60-0x0000000000490000-0x00000000004D8000-memory.dmp

Filesize
288KB

Download
memory/2896-61-0x0000000036EC0000-0x0000000037464000-memory.dmp

Filesize
5.6MB

Download
memory/4036-42-0x0000000004A30000-0x00000000073BD000-memory.dmp

Filesize
41.6MB

Download
memory/4036-36-0x0000000004A30000-0x00000000073BD000-memory.dmp

Filesize
41.6MB

Download
memory/4036-37-0x0000000004A30000-0x00000000073BD000-memory.dmp

Filesize
41.6MB

Download
memory/4036-39-0x00000000777B1000-0x00000000778D1000-memory.dmp

Filesize
1.1MB

Download
memory/4036-40-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download
memory/4036-38-0x00000000777B1000-0x00000000778D1000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads