guloader | 659a432dd59291bab8b1bb3c78c3d26c8080cbb255e5407f504fe6e24f175352

Analysis

max time kernel
141s
max time network
150s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
24-06-2024 11:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PLANT PROJECT PROPOSAL BID_24-0676·pdf.exe
Size

474KB
MD5

76e2017ac06cb371534484026354166b
SHA1

675b71298410de5703fdc9bcd81b29de0ff8a326
SHA256

659a432dd59291bab8b1bb3c78c3d26c8080cbb255e5407f504fe6e24f175352
SHA512

edf89452e25231907695c9491bd6a442e76f6e27174386c8d2373d361022b01e2cec6a4bd0ad23a957c7794d3610be3c4a1e0dd5cdc8f343e482c0b89858298b
SSDEEP

12288:EqgowvlfpMcu8jRMhrnPtwBa2BagAaOzLkef:gdfTuThBwBZaHnf

Score

10^/10

guloader lokibot collection downloader execution spyware stealer trojan

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2508 powershell.exe
Loads dropped DLL 3 IoCs

Processes:

PLANT PROJECT PROPOSAL BID_24-0676·pdf.exe

pid process

2924 PLANT PROJECT PROPOSAL BID_24-0676·pdf.exe
2924 PLANT PROJECT PROPOSAL BID_24-0676·pdf.exe
2924 PLANT PROJECT PROPOSAL BID_24-0676·pdf.exe

pid	process
2508	powershell.exe

pid	process
2924	PLANT PROJECT PROPOSAL BID_24-0676·pdf.exe
2924	PLANT PROJECT PROPOSAL BID_24-0676·pdf.exe
2924	PLANT PROJECT PROPOSAL BID_24-0676·pdf.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

wab.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	wab.exe
Key opened	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	wab.exe
Key opened	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	wab.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

3 drive.google.com
5 drive.google.com
Drops file in System32 directory 1 IoCs

Processes:

PLANT PROJECT PROPOSAL BID_24-0676·pdf.exe

description ioc process

File created C:\Windows\SysWOW64\energetiskes\Physicianer223.lnk PLANT PROJECT PROPOSAL BID_24-0676·pdf.exe
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

wab.exe

pid process

1464 wab.exe
1464 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

2508 powershell.exe
1464 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2508 set thread context of 1464 2508 powershell.exe wab.exe

flow	ioc
3	drive.google.com
5	drive.google.com

description	ioc	process
File created	C:\Windows\SysWOW64\energetiskes\Physicianer223.lnk	PLANT PROJECT PROPOSAL BID_24-0676·pdf.exe

pid	process
1464	wab.exe
1464	wab.exe

pid	process
2508	powershell.exe
1464	wab.exe

description	pid	process	target process
PID 2508 set thread context of 1464	2508	powershell.exe	wab.exe

Drops file in Program Files directory 3 IoCs

Processes:

PLANT PROJECT PROPOSAL BID_24-0676·pdf.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\eduard.lyz	PLANT PROJECT PROPOSAL BID_24-0676·pdf.exe
File opened for modification	C:\Program Files (x86)\Common Files\yeastless.Rus	PLANT PROJECT PROPOSAL BID_24-0676·pdf.exe
File opened for modification	C:\Program Files (x86)\Common Files\Marrowless\Mutated.ini	PLANT PROJECT PROPOSAL BID_24-0676·pdf.exe

Drops file in Windows directory 1 IoCs

Processes:

PLANT PROJECT PROPOSAL BID_24-0676·pdf.exe

description ioc process

File opened for modification C:\Windows\schematizers.roa PLANT PROJECT PROPOSAL BID_24-0676·pdf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exe

pid process

2508 powershell.exe
2508 powershell.exe
2508 powershell.exe
2508 powershell.exe
2508 powershell.exe
2508 powershell.exe
2508 powershell.exe
2508 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

2508 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exewab.exe

description pid process

Token: SeDebugPrivilege 2508 powershell.exe
Token: SeDebugPrivilege 1464 wab.exe

description	ioc	process
File opened for modification	C:\Windows\schematizers.roa	PLANT PROJECT PROPOSAL BID_24-0676·pdf.exe

pid	process
2508	powershell.exe
2508	powershell.exe
2508	powershell.exe
2508	powershell.exe
2508	powershell.exe
2508	powershell.exe
2508	powershell.exe
2508	powershell.exe

pid	process
2508	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	1464	wab.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

PLANT PROJECT PROPOSAL BID_24-0676·pdf.exepowershell.exe

description	pid	process	target process
PID 2924 wrote to memory of 2508	2924	PLANT PROJECT PROPOSAL BID_24-0676·pdf.exe	powershell.exe
PID 2924 wrote to memory of 2508	2924	PLANT PROJECT PROPOSAL BID_24-0676·pdf.exe	powershell.exe
PID 2924 wrote to memory of 2508	2924	PLANT PROJECT PROPOSAL BID_24-0676·pdf.exe	powershell.exe
PID 2924 wrote to memory of 2508	2924	PLANT PROJECT PROPOSAL BID_24-0676·pdf.exe	powershell.exe
PID 2508 wrote to memory of 1464	2508	powershell.exe	wab.exe
PID 2508 wrote to memory of 1464	2508	powershell.exe	wab.exe
PID 2508 wrote to memory of 1464	2508	powershell.exe	wab.exe
PID 2508 wrote to memory of 1464	2508	powershell.exe	wab.exe
PID 2508 wrote to memory of 1464	2508	powershell.exe	wab.exe
PID 2508 wrote to memory of 1464	2508	powershell.exe	wab.exe

outlook_office_path 1 IoCs

Processes:

wab.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook wab.exe
outlook_win_path 1 IoCs

Processes:

wab.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook wab.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	wab.exe

C:\Users\Admin\AppData\Local\Temp\PLANT PROJECT PROPOSAL BID_24-0676·pdf.exe
"C:\Users\Admin\AppData\Local\Temp\PLANT PROJECT PROPOSAL BID_24-0676·pdf.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -windowstyle hidden "$Beguiling=Get-Content 'C:\Users\Admin\AppData\Local\Temp\overmandede\Metran\menubilledet\Ligneous27\Megabyte.Rec';$fuglereservatet=$Beguiling.SubString(69485,3);.$fuglereservatet($Beguiling)"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
3⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1464

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\overmandede\Metran\menubilledet\Ligneous27\Drmmeanalysens.Ala
Filesize
323KB

MD5
eb8937291617e9f9644aec2dcdf40844

SHA1
6b1323a2aee86772d3a7a9bedff084c3c1a45a63

SHA256
31932e8ade610cbf0a594ccef31b0ecc35acb4cdd804daa395e23b8cf33b034f

SHA512
1b61ca1ade8d509f64aedb8dedc96ef60daf2392ef480e09d46257aeec7f169a0ece35a47fb20d99c95b96821f8cf47abea3aa683541aeeb13633bf2c238fd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\overmandede\Metran\menubilledet\Ligneous27\Megabyte.Rec
Filesize
67KB

MD5
25d90d6894b5b0262a759a22d5f975bf

SHA1
b784e579a75f3d5f67d7e5a31fcc8b36534895b9

SHA256
732013c0d4e35e91bce7a2dc851621326cc1017b23ec7adf40e9f83361aa41a8

SHA512
03e98b9aa7de9db7901ef46a27432d99c60a77110ff501b8a0308b4d39c1bf9074d965c8236b62086a0ce99bf50fda77f78887817dffe0fcfb17112cbfd37f37

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2721934792-624042501-2768869379-1000\0f5007522459c86e95ffcc62f32308f1_dbaf3979-518f-4824-86e4-f33db9fb991c
Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2721934792-624042501-2768869379-1000\0f5007522459c86e95ffcc62f32308f1_dbaf3979-518f-4824-86e4-f33db9fb991c
Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
\Users\Admin\AppData\Local\Temp\nsdFE6C.tmp\Banner.dll
Filesize
4KB

MD5
843657eaf7240b695624dcf38bb0eb31

SHA1
ca99a44e737fdeaab56f864ce1ef15a57d2eec90

SHA256
b935d14c32ad8e16055f7f5794ac3411e601c5ac93155afc623f25b08e2ab82e

SHA512
7773d9f6bbd17253d1c96ce225b2f9d3673969b38177afef236d1c5d4aabaae2c07793e07c34f0281ec3b859ae955e83bfe43a598ce7cc6c893ec8c9604f5de3

Download Submit
\Users\Admin\AppData\Local\Temp\nsdFE6C.tmp\BgImage.dll
Filesize
7KB

MD5
a98576f0d6b35b466cb881860977fdbc

SHA1
28b3dbbd76f15c876b98dce523100aa3256d193a

SHA256
6cc4aadae46ee3e7f39b411ba087ec29bc10aa62b6b5b44003c934b3c51cefe2

SHA512
29225bfb30e72d7d3d3571e7562b5901dbf2382af1972cc9a2be8e3bef697b9ac9e0aaac3a9bca191da827ad3cfce7f6876e8be9444663e83a7e2e86788a733c

Download Submit
\Users\Admin\AppData\Local\Temp\nsdFE6C.tmp\nsDialogs.dll
Filesize
9KB

MD5
2c84faebfda2abe3b16fdf374df4272f

SHA1
a5b0258a94e0440aefe1ef320e62e7a9a1c8bb40

SHA256
72b38e4cca0af336655d55501c4ea05080baaa9921a62a2d717afe90bb801004

SHA512
207164cc6914c59d9f4f3b8ae97628c544093ba6ecda9f8da351f453cd97e03be7a640264b8686b2d5e6f3c787f4df1d8a1ebc8e51fd788a97460cd981cc015e

Download Submit
memory/1464-60-0x0000000000630000-0x000000000650A000-memory.dmp

Filesize
94.9MB

Download
memory/2508-28-0x0000000073271000-0x0000000073272000-memory.dmp

Filesize
4KB

Download
memory/2508-31-0x0000000073270000-0x000000007381B000-memory.dmp

Filesize
5.7MB

Download
memory/2508-36-0x0000000006530000-0x000000000C40A000-memory.dmp

Filesize
94.9MB

Download
memory/2508-37-0x0000000073270000-0x000000007381B000-memory.dmp

Filesize
5.7MB

Download
memory/2508-32-0x0000000073270000-0x000000007381B000-memory.dmp

Filesize
5.7MB

Download
memory/2508-30-0x0000000073270000-0x000000007381B000-memory.dmp

Filesize
5.7MB

Download
memory/2508-29-0x0000000073270000-0x000000007381B000-memory.dmp

Filesize
5.7MB

Download