guloader | eab16fb9a96dba4a00c074dec9d6be01b5d93b680d69d230c21497fce96f9de5

General

Target

eab16fb9a96dba4a00c074dec9d6be01b5d93b680d69d230c21497fce96f9de5.exe
Size

1.0MB
MD5

a5350eaa7864ac06277c445e0f52f9d9
SHA1

9a589f6dcbb0ee908a1665501b3e249a00c05db8
SHA256

eab16fb9a96dba4a00c074dec9d6be01b5d93b680d69d230c21497fce96f9de5
SHA512

19cbd739728359dff2932ee72bf923598fe523ed2c08fc3d42f4e535e94e8cd7b0c4165eb1f3e4b54ef96b403396571b9ce9d3042ceacb996237d78b3347e2d1
SSDEEP

24576:NtLjOxH2phdL18qdTJhxEvGuw48Qw1J+FOZVKgyhz:NtLiwhd3dzxYfw4krkOZxy9

Score

10^/10

guloader collection discovery downloader spyware stealer

Malware Config

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 2 IoCs

pid	Process
872	eab16fb9a96dba4a00c074dec9d6be01b5d93b680d69d230c21497fce96f9de5.exe
872	eab16fb9a96dba4a00c074dec9d6be01b5d93b680d69d230c21497fce96f9de5.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	eab16fb9a96dba4a00c074dec9d6be01b5d93b680d69d230c21497fce96f9de5.exe
Key opened	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	eab16fb9a96dba4a00c074dec9d6be01b5d93b680d69d230c21497fce96f9de5.exe
Key opened	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	eab16fb9a96dba4a00c074dec9d6be01b5d93b680d69d230c21497fce96f9de5.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
12	drive.google.com
13	drive.google.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
25	checkip.dyndns.org
28	reallyfreegeoip.org
29	reallyfreegeoip.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2476	eab16fb9a96dba4a00c074dec9d6be01b5d93b680d69d230c21497fce96f9de5.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
872	eab16fb9a96dba4a00c074dec9d6be01b5d93b680d69d230c21497fce96f9de5.exe
2476	eab16fb9a96dba4a00c074dec9d6be01b5d93b680d69d230c21497fce96f9de5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eab16fb9a96dba4a00c074dec9d6be01b5d93b680d69d230c21497fce96f9de5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eab16fb9a96dba4a00c074dec9d6be01b5d93b680d69d230c21497fce96f9de5.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2476	eab16fb9a96dba4a00c074dec9d6be01b5d93b680d69d230c21497fce96f9de5.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2476	eab16fb9a96dba4a00c074dec9d6be01b5d93b680d69d230c21497fce96f9de5.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
872	eab16fb9a96dba4a00c074dec9d6be01b5d93b680d69d230c21497fce96f9de5.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2476	eab16fb9a96dba4a00c074dec9d6be01b5d93b680d69d230c21497fce96f9de5.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2476	eab16fb9a96dba4a00c074dec9d6be01b5d93b680d69d230c21497fce96f9de5.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 872 wrote to memory of 2476	872	eab16fb9a96dba4a00c074dec9d6be01b5d93b680d69d230c21497fce96f9de5.exe	89
PID 872 wrote to memory of 2476	872	eab16fb9a96dba4a00c074dec9d6be01b5d93b680d69d230c21497fce96f9de5.exe	89
PID 872 wrote to memory of 2476	872	eab16fb9a96dba4a00c074dec9d6be01b5d93b680d69d230c21497fce96f9de5.exe	89
PID 872 wrote to memory of 2476	872	eab16fb9a96dba4a00c074dec9d6be01b5d93b680d69d230c21497fce96f9de5.exe	89

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	eab16fb9a96dba4a00c074dec9d6be01b5d93b680d69d230c21497fce96f9de5.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	eab16fb9a96dba4a00c074dec9d6be01b5d93b680d69d230c21497fce96f9de5.exe

C:\Users\Admin\AppData\Local\Temp\eab16fb9a96dba4a00c074dec9d6be01b5d93b680d69d230c21497fce96f9de5.exe
"C:\Users\Admin\AppData\Local\Temp\eab16fb9a96dba4a00c074dec9d6be01b5d93b680d69d230c21497fce96f9de5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:872
- C:\Users\Admin\AppData\Local\Temp\eab16fb9a96dba4a00c074dec9d6be01b5d93b680d69d230c21497fce96f9de5.exe
  "C:\Users\Admin\AppData\Local\Temp\eab16fb9a96dba4a00c074dec9d6be01b5d93b680d69d230c21497fce96f9de5.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - outlook_office_path
  - outlook_win_path
  PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsc8BF6.tmp

Filesize
29B

MD5
7bcf80ed4b7586485d227a08e4b7686b

SHA1
75f83d3b2fd6fc16fe54abf43839bc0512ca0046

SHA256
3f1b5b4bbb2d866c8c62ef732346f0dd6843cbdb2aed403f041509d0657c8b77

SHA512
1bc1e78b73c49ffb095dbcced9b53a1403b253a22517441ab9db1aa720ffab2a2d36222c83c1773934157324201e769fa3b109fa620c3992a6488e9a79486bb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc8BF6.tmp

Filesize
74B

MD5
16d513397f3c1f8334e8f3e4fc49828f

SHA1
4ee15afca81ca6a13af4e38240099b730d6931f0

SHA256
d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36

SHA512
4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc8C46.tmp

Filesize
52B

MD5
5d04a35d3950677049c7a0cf17e37125

SHA1
cafdd49a953864f83d387774b39b2657a253470f

SHA256
a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266

SHA512
c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh8C66.tmp

Filesize
60B

MD5
86b1517dcafc4a4339179034c736b13a

SHA1
dcaf657f694a70a5f41b45f9bd56b5adbfb9146c

SHA256
a181b7d3e37b70dfa7393c75e56579969260257921b04a16798398b62298f355

SHA512
14eff2d0277911af3956d652d26673e2f9d842f72b584ce0ff6f70dca311c18511b431febbce92ba2b88a4e78d54198db0c14371046ec2b9eb1ffc2971a5daf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi8D53.tmp

Filesize
30B

MD5
f15bfdebb2df02d02c8491bde1b4e9bd

SHA1
93bd46f57c3316c27cad2605ddf81d6c0bde9301

SHA256
c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043

SHA512
1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm8C35.tmp\System.dll

Filesize
11KB

MD5
7399323923e3946fe9140132ac388132

SHA1
728257d06c452449b1241769b459f091aabcffc5

SHA256
5a1c20a3e2e2eb182976977669f2c5d9f3104477e98f74d69d2434e79b92fdc3

SHA512
d6f28ba761351f374ae007c780be27758aea7b9f998e2a88a542eede459d18700adffe71abcb52b8a8c00695efb7ccc280175b5eeb57ca9a645542edfabb64f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss8CA6.tmp

Filesize
56B

MD5
dafe25135ede7103cb267d1578e0c689

SHA1
ef87a386d2c6b7494cf58f0c98c43af600632c42

SHA256
0b8e7d7bf2483682129eda497da8a2119992e4aea40a6f9528afec01e1953653

SHA512
f79caea14ae158bfebada8328cf2657fb028193d76597dafd228e982e00b6f59ff6631ea354a3d69bf83a8d0e99791f613e1c13a6cf2837a035e9c257d47ca48

Download Submit
C:\Users\Public\Desktop\Varda.ini

Filesize
33B

MD5
340ad700cf73b73ea2313c044d40ea9a

SHA1
9b90cc3147d140fa936e308c2c320bdc385da93a

SHA256
55a2b8f5ef1d17023fd8245e69830cc961c0ce629eddc7ac1043c288cb3915b5

SHA512
4b31d10b80ae71197ac367c868569949224a4cd542bf0e9c188b816348ec8958f952525f939c827bddc8610f268dd12e310d6d2fc99071c741b3a38e062542b4

Download Submit
memory/872-599-0x0000000077761000-0x0000000077881000-memory.dmp

Filesize
1.1MB

Download
memory/872-598-0x0000000005350000-0x000000000854A000-memory.dmp

Filesize
50.0MB

Download
memory/872-597-0x0000000005350000-0x000000000854A000-memory.dmp

Filesize
50.0MB

Download
memory/872-601-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download
memory/872-600-0x0000000077761000-0x0000000077881000-memory.dmp

Filesize
1.1MB

Download
memory/872-603-0x0000000005350000-0x000000000854A000-memory.dmp

Filesize
50.0MB

Download
memory/2476-617-0x00000000016E0000-0x00000000048DA000-memory.dmp

Filesize
50.0MB

Download
memory/2476-616-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/2476-618-0x0000000000480000-0x000000000049E000-memory.dmp

Filesize
120KB

Download
memory/2476-619-0x0000000037620000-0x0000000037BC4000-memory.dmp

Filesize
5.6MB

Download
memory/2476-620-0x0000000037BD0000-0x0000000037C6C000-memory.dmp

Filesize
624KB

Download
memory/2476-621-0x0000000037C70000-0x0000000037CC0000-memory.dmp

Filesize
320KB

Download
memory/2476-623-0x0000000038120000-0x00000000382E2000-memory.dmp

Filesize
1.8MB

Download
memory/2476-624-0x0000000038370000-0x0000000038402000-memory.dmp

Filesize
584KB

Download
memory/2476-625-0x00000000386B0000-0x00000000386BA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing