guloader | 60fb7826f156ee2fefc7a9bbf772b826f2cba708807865a83da935b561fb2e36

General

Target

Limitarian.exe
Size

740KB
MD5

4fa38b05807f476d8ee68f21fd19bfe6
SHA1

c2ff720a03224ac753db68f6af67b6893065c895
SHA256

e9f5387c0d3930c8411a98a493979b3c0e1306d26deba3ff3d5a6ee9a36c0cc3
SHA512

9a6196f8e143fb18a02987a2081437956203b49c27e6cc277387219e56e5e75d8b29d4bc15752ff10905cebc4d0f8d655e15e6b3e139a192bdb4d0040c474f7f
SSDEEP

12288:NF9OIpstX2WZRreby38SeD83S1V2dt8IysxnE8UML789zUO9vVOI0emBmV:xOKsN5Rr53lRsVumIysxnlGUOdb0emB4

Score

10^/10

guloader vipkeylogger discovery downloader keylogger stealer

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot8172976107:AAH5CXqEBGFF-CK18VpImdWAW7U_9296FqY/sendMessage?chat_id=6885960134

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Loads dropped DLL 2 IoCs

pid	Process
2456	Limitarian.exe
2456	Limitarian.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
5	drive.google.com
6	drive.google.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	checkip.dyndns.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
324	Limitarian.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2456	Limitarian.exe
324	Limitarian.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\infarkt.pla	Limitarian.exe
File opened for modification	C:\Program Files (x86)\Unelaborated.non	Limitarian.exe
File opened for modification	C:\Program Files (x86)\Common Files\bedvelsens\Reaccelerates.ske	Limitarian.exe
File opened for modification	C:\Program Files (x86)\Common Files\rhesusbarnet\teenfully.bra	Limitarian.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\resources\rothesay\Fallenternes.con	Limitarian.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Limitarian.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Limitarian.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
324	Limitarian.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2456	Limitarian.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	324	Limitarian.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 324	2456	Limitarian.exe	31
PID 2456 wrote to memory of 324	2456	Limitarian.exe	31
PID 2456 wrote to memory of 324	2456	Limitarian.exe	31
PID 2456 wrote to memory of 324	2456	Limitarian.exe	31
PID 2456 wrote to memory of 324	2456	Limitarian.exe	31

C:\Users\Admin\AppData\Local\Temp\Limitarian.exe
"C:\Users\Admin\AppData\Local\Temp\Limitarian.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Users\Admin\AppData\Local\Temp\Limitarian.exe
  "C:\Users\Admin\AppData\Local\Temp\Limitarian.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Pictures\fedtlderstvles.lnk

Filesize
876B

MD5
8e91f3652de49e5a4d14b305106640dc

SHA1
ce113f46b98e529ab2c3376b21bd3cdc6d9e42ad

SHA256
7a76eb706623ca6336476099e019a096a4ce92771c6b95c4410098327159ece3

SHA512
3a676522070b6b5533225dd2fb62a636fb159b707c4ae1d5f2c05659ed91978fa8256702989795fba0b3e06aa209ff833dd8085843ca8fec121852cb49ae7f6d

Download Submit
\Users\Admin\AppData\Local\Temp\nsyD395.tmp\System.dll

Filesize
11KB

MD5
cf85183b87314359488b850f9e97a698

SHA1
6b6c790037eec7ebea4d05590359cb4473f19aea

SHA256
3b6a5cb2a3c091814fce297c04fb677f72732fb21615102c62a195fdc2e7dfac

SHA512
fe484b3fc89aeed3a6b71b90b90ea11a787697e56be3077154b6ddc2646850f6c38589ed422ff792e391638a80a778d33f22e891e76b5d65896c6fb4696a2c3b

Download Submit
memory/324-311-0x00000000014D0000-0x00000000047D0000-memory.dmp

Filesize
51.0MB

Download
memory/324-312-0x0000000077810000-0x00000000779B9000-memory.dmp

Filesize
1.7MB

Download
memory/324-313-0x0000000000460000-0x00000000014C2000-memory.dmp

Filesize
16.4MB

Download
memory/324-334-0x0000000000460000-0x00000000014C2000-memory.dmp

Filesize
16.4MB

Download
memory/324-335-0x00000000014D0000-0x00000000047D0000-memory.dmp

Filesize
51.0MB

Download
memory/324-336-0x0000000000460000-0x00000000004AA000-memory.dmp

Filesize
296KB

Download
memory/2456-310-0x0000000077810000-0x00000000779B9000-memory.dmp

Filesize
1.7MB

Download
memory/2456-309-0x0000000077811000-0x0000000077912000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing