guloader | a02e01069a411ac5f354cc5cd4ed2230baf3d25658859dfee5c6cb897c0e090d

General

Target

Aksecylinder.exe
Size

750KB
MD5

e829e0f6d465052b5d6f2a6859d3758d
SHA1

6dfc7933c035bd6f6b3d7a39e9a266c5be535bd1
SHA256

160856540bd88b9662d5f8f82d220bb167072c2f89cc51e5ef769cc524d86647
SHA512

fa4fc21a12532f7a0b64a9e77a8a2676144cbefcb33b4c26e2deddbfead5a00fe708b846e3273cec38dfb9bb0a4d357828701a68b0de919b7c4c41505db14c93
SSDEEP

12288:uF99nDxQgv8fbbwQarRSOy38SeD83S1B0E3EqDxnE8UML789zUO9vVOI0emBm:qdxjK3wQagL3lRsLxnlGUOdb0emBm

Score

10^/10

guloader vipkeylogger discovery downloader keylogger stealer

Malware Config

Extracted

Family

vipkeylogger

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Loads dropped DLL 2 IoCs

pid	Process
2328	Aksecylinder.exe
2328	Aksecylinder.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
5	drive.google.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	reallyfreegeoip.org
14	checkip.dyndns.org
16	reallyfreegeoip.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1424	Aksecylinder.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2328	Aksecylinder.exe
1424	Aksecylinder.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\infarkt.pla	Aksecylinder.exe
File opened for modification	C:\Program Files (x86)\Unelaborated.non	Aksecylinder.exe
File opened for modification	C:\Program Files (x86)\Common Files\bedvelsens\Reaccelerates.ske	Aksecylinder.exe
File opened for modification	C:\Program Files (x86)\Common Files\rhesusbarnet\teenfully.bra	Aksecylinder.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\resources\rothesay\Fallenternes.con	Aksecylinder.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aksecylinder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aksecylinder.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1424	Aksecylinder.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2328	Aksecylinder.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1424	Aksecylinder.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 1424	2328	Aksecylinder.exe	31
PID 2328 wrote to memory of 1424	2328	Aksecylinder.exe	31
PID 2328 wrote to memory of 1424	2328	Aksecylinder.exe	31
PID 2328 wrote to memory of 1424	2328	Aksecylinder.exe	31
PID 2328 wrote to memory of 1424	2328	Aksecylinder.exe	31

C:\Users\Admin\AppData\Local\Temp\Aksecylinder.exe
"C:\Users\Admin\AppData\Local\Temp\Aksecylinder.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Users\Admin\AppData\Local\Temp\Aksecylinder.exe
  "C:\Users\Admin\AppData\Local\Temp\Aksecylinder.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Pictures\fedtlderstvles.lnk

Filesize
884B

MD5
bab4ec22fdc619642b1bbfcf6d0b4247

SHA1
87a61410321cc63f4155f9f53d2b608600229722

SHA256
ede82f468318172ca4c18d8f52c385789e0078f215de6dd165a206e11b280d1c

SHA512
1f6fb0092156018e6c467579514fa111c603fd0c46b742c0953dd639abdc5a1899db162633eb0913f2fb6498ac425269162fccd0c00e6a2ed6d0734275b2fc31

Download Submit
\Users\Admin\AppData\Local\Temp\nstBCEA.tmp\System.dll

Filesize
11KB

MD5
cf85183b87314359488b850f9e97a698

SHA1
6b6c790037eec7ebea4d05590359cb4473f19aea

SHA256
3b6a5cb2a3c091814fce297c04fb677f72732fb21615102c62a195fdc2e7dfac

SHA512
fe484b3fc89aeed3a6b71b90b90ea11a787697e56be3077154b6ddc2646850f6c38589ed422ff792e391638a80a778d33f22e891e76b5d65896c6fb4696a2c3b

Download Submit
memory/1424-311-0x00000000014D0000-0x0000000004D02000-memory.dmp

Filesize
56.2MB

Download
memory/1424-312-0x00000000776A0000-0x0000000077849000-memory.dmp

Filesize
1.7MB

Download
memory/1424-313-0x0000000000460000-0x00000000014C2000-memory.dmp

Filesize
16.4MB

Download
memory/1424-334-0x0000000000460000-0x00000000014C2000-memory.dmp

Filesize
16.4MB

Download
memory/1424-336-0x0000000000460000-0x00000000004AA000-memory.dmp

Filesize
296KB

Download
memory/1424-335-0x00000000014D0000-0x0000000004D02000-memory.dmp

Filesize
56.2MB

Download
memory/2328-310-0x00000000776A0000-0x0000000077849000-memory.dmp

Filesize
1.7MB

Download
memory/2328-309-0x00000000776A1000-0x00000000777A2000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing