guloader | 0f53eff52887aae5e364992c447a0816efaac51fd03539713b13d502bcfed409

General

Target

Cubistic.exe
Size

744KB
MD5

615dbc6bbf1babd9d064ec9d24b211b1
SHA1

5465ddcd9aa36db67f3a29607f86c4df6989d026
SHA256

f1b6f735c651a28ecb97d4b9e21adc5d79ebed5b2686482f58ae33df3f13492d
SHA512

3a0d4769020d220676907a71d8fea5e2d61ca2e6d3ae79be14a7b4b5a99c78b03c044619e3c55c8a1e76f660cee26638932fd846ec580f8ad72b551d41cfdb04
SSDEEP

12288:lF9eqV6zZSsoOa/xy38SeD83S1vKZbXvOIxnE8UML789zUO9vVOI0emBmf:Zx6SsoOa/A3lRsUbbxnlGUOdb0emBmf

Score

10^/10

guloader vipkeylogger discovery downloader keylogger stealer

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7618867847:AAF14vnGvkJJYcxLyMVdR3OZPzd4TQzD_OY/sendMessage?chat_id=6070006284

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Loads dropped DLL 2 IoCs

pid	Process
1644	Cubistic.exe
1644	Cubistic.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
5	drive.google.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	checkip.dyndns.org
16	reallyfreegeoip.org
17	reallyfreegeoip.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
560	Cubistic.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1644	Cubistic.exe
560	Cubistic.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\rhesusbarnet\teenfully.bra	Cubistic.exe
File opened for modification	C:\Program Files (x86)\Common Files\infarkt.pla	Cubistic.exe
File opened for modification	C:\Program Files (x86)\Unelaborated.non	Cubistic.exe
File opened for modification	C:\Program Files (x86)\Common Files\bedvelsens\Reaccelerates.ske	Cubistic.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\resources\rothesay\Fallenternes.con	Cubistic.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cubistic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cubistic.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
560	Cubistic.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1644	Cubistic.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	560	Cubistic.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 560	1644	Cubistic.exe	31
PID 1644 wrote to memory of 560	1644	Cubistic.exe	31
PID 1644 wrote to memory of 560	1644	Cubistic.exe	31
PID 1644 wrote to memory of 560	1644	Cubistic.exe	31
PID 1644 wrote to memory of 560	1644	Cubistic.exe	31

C:\Users\Admin\AppData\Local\Temp\Cubistic.exe
"C:\Users\Admin\AppData\Local\Temp\Cubistic.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Users\Admin\AppData\Local\Temp\Cubistic.exe
  "C:\Users\Admin\AppData\Local\Temp\Cubistic.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Pictures\fedtlderstvles.lnk

Filesize
920B

MD5
92194b85d0259fff27102f8678bc0a31

SHA1
4091014a22a7961c01b0f4106246c5e7153b203a

SHA256
99b86a9383233a20f0e0cc1826f97b4989f950ae60f4a0b2635544173cb0a90d

SHA512
51475fb048e0b01c9f6cbf62ef0cb9d2f411f3661f9d580e342085bf5435156e86896cc7f78efea2341fb1d5faf6744bb836e018c8f9c02bffd7f350dbe79ea5

Download Submit
\Users\Admin\AppData\Local\Temp\nsoDE9D.tmp\System.dll

Filesize
11KB

MD5
cf85183b87314359488b850f9e97a698

SHA1
6b6c790037eec7ebea4d05590359cb4473f19aea

SHA256
3b6a5cb2a3c091814fce297c04fb677f72732fb21615102c62a195fdc2e7dfac

SHA512
fe484b3fc89aeed3a6b71b90b90ea11a787697e56be3077154b6ddc2646850f6c38589ed422ff792e391638a80a778d33f22e891e76b5d65896c6fb4696a2c3b

Download Submit
memory/560-314-0x0000000077730000-0x00000000778D9000-memory.dmp

Filesize
1.7MB

Download
memory/560-319-0x0000000000460000-0x00000000014C2000-memory.dmp

Filesize
16.4MB

Download
memory/560-334-0x0000000000460000-0x00000000014C2000-memory.dmp

Filesize
16.4MB

Download
memory/560-335-0x00000000014D0000-0x00000000033AE000-memory.dmp

Filesize
30.9MB

Download
memory/560-336-0x0000000000460000-0x00000000004AA000-memory.dmp

Filesize
296KB

Download
memory/1644-309-0x0000000003090000-0x0000000004F6E000-memory.dmp

Filesize
30.9MB

Download
memory/1644-310-0x0000000077731000-0x0000000077832000-memory.dmp

Filesize
1.0MB

Download
memory/1644-311-0x0000000077730000-0x00000000778D9000-memory.dmp

Filesize
1.7MB

Download
memory/1644-312-0x0000000003090000-0x0000000004F6E000-memory.dmp

Filesize
30.9MB

Download
memory/1644-315-0x0000000003090000-0x0000000004F6E000-memory.dmp

Filesize
30.9MB

Download

Analysis

Sharing