File name:	21821568574.zip
Full analysis:	https://app.any.run/tasks/a64e2453-524f-4f4b-9f0e-5b45cb79e836
Verdict:	Malicious activity
Threats:	GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities. GuLoader ist ein fortschrittlicher, in Shellcode geschriebener Downloader. Er wird von Kriminellen verwendet, um andere Malware, vor allem Trojaner, in großem Umfang zu verbreiten. Er ist dafür berüchtigt, dass er Anti-Erkennungs- und Anti-Analyse-Funktionen nutzt. A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	March 25, 2025, 06:48:23
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	arch-exec evasion snake keylogger telegram stealer guloader
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	07A71577E8D9F8554903390C72CCE379
SHA1:	953897589295BD64208A097AB6DA66EEB96385F7
SHA256:	46F9C602950FEAFA3379EB72D16AB5D786D5F87CB000B74C02BBCBBD29D80B1F
SSDEEP:	24576:kBm+41fKT4PyVzRCRooHRnQkWEoPqvO3NRXKDZpsmau7MHPbsTu6M8xROgFnQcvd:kBm+41fKT4PyVzRCKoHRntWEoPqvO3Ns

ZipRequiredVersion:	20
ZipBitFlag:	0x0009
ZipCompression:	Deflated
ZipModifyDate:	1980:00:00 00:00:00
ZipCRC:	0x52404528
ZipCompressedSize:	623086
ZipUncompressedSize:	622874
ZipFileName:	3f6474cb260bb34c44043b82aef917d5b7385485895dd20b7d667643f1cd9e36


(PID) Process:	(4608) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(4608) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(4608) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(4608) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\21821568574.zip
(PID) Process:	(4608) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(4608) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(4608) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(4608) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(4448) Request for Quotation-RFQ20250324.exe	Key:	HKEY_CURRENT_USER\Cinnoberrdes\Uninstall\Hjrdt
Operation:	write	Name:	modularizing
Value: 0
(PID) Process:	(4608) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList
Operation:	write	Name:	ArcSort
Value: 32

PID	Process	Filename		Type
4448	Request for Quotation-RFQ20250324.exe	C:\Users\admin\AppData\Local\Temp\bremseraket\brother\idyls.txt		text
		MD5:BB8111CE0323359940EBFBD7611D60EB	SHA256:FFF5D4602C4A04F2D975C71ABF2CF70BED7FBDFAB50CC656DA76BA88F2668BB3
4448	Request for Quotation-RFQ20250324.exe	C:\Users\admin\AppData\Local\Temp\bremseraket\brother\Brneforsorgen57.kor		binary
		MD5:08D117BA4A9C832CC30E032C7BCF7474	SHA256:6207CAB20D6E437934816344BCC024D6DE625AD0AF4139A32EB9476A3A5E98DE
4448	Request for Quotation-RFQ20250324.exe	C:\Users\admin\AppData\Local\Temp\bremseraket\brother\Tejns.ini		text
		MD5:BB68691C101EBA2B784C6C6D2E278C64	SHA256:41F7E84A177337F60EBF11D0B52FF9DDD3031C519243074EEBF4425BDB6803F4
4448	Request for Quotation-RFQ20250324.exe	C:\Users\admin\AppData\Local\Temp\bremseraket\brother\maadehold.jpg		image
		MD5:24231B987AFE80EE9FAC1E7A88974ED7	SHA256:48A34680FAB2D112DAE48D9BE43730131646AD3EEC352C0686CADD34062FF13B
4448	Request for Quotation-RFQ20250324.exe	C:\Users\admin\AppData\Local\Temp\bremseraket\brother\outringing.txt		text
		MD5:F36C8DCE91E23B42FEF78716E1127CF3	SHA256:68A145D46C3AF57DD8FB80BDA315720BDFEF673AB17CF721F97883C11E5B918B
4448	Request for Quotation-RFQ20250324.exe	C:\Users\admin\AppData\Local\Temp\bremseraket\brother\maskulinitetens.str		binary
		MD5:752AFECA31E0B3748C0345DA7761865C	SHA256:D8944C09A73AE4B6C67F185DDA3CF0876813183D863AB25F6142A0E896650091
4448	Request for Quotation-RFQ20250324.exe	C:\Users\admin\AppData\Local\Temp\bremseraket\brother\monstrosity.jpg		image
		MD5:82E92251110D9EF915AA0139BAA18AE3	SHA256:EBAD3EF4674AFAAF3AE1C962E7BE6A23C8C8664455AEB18E07AF15B84D8F4950
4448	Request for Quotation-RFQ20250324.exe	C:\Users\admin\AppData\Local\Temp\bremseraket\brother\overelaborateness.txt		text
		MD5:86ECE13154A57E48DABA0F7A6447DADA	SHA256:A8DF90BFA1A0BCE0E279846FA8476BEBA89F18C783A00DE11A0450ADA048B71F
4448	Request for Quotation-RFQ20250324.exe	C:\Users\admin\AppData\Local\Temp\bremseraket\brother\Fistulated.ini		text
		MD5:EEF998EF8A7D3E441D919A848FA24796	SHA256:8C9860EE075353827E260824C8DEB3960B5634C9796FAAFD96C60113FEBC1B1C
4448	Request for Quotation-RFQ20250324.exe	C:\Users\admin\AppData\Local\Temp\bremseraket\brother\Produktkontroller.Uin		binary
		MD5:91F0A51E649E051B647DA63957ACC97E	SHA256:3124420CE18771F1AE5038C88091E1F2596FF76B9756A046F13079C7F47AA11E

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6516	msiexec.exe	GET	200	132.226.8.169:80	http://checkip.dyndns.org/	unknown	—	—	whitelisted
—	—	GET	200	104.21.112.1:443	https://reallyfreegeoip.org/xml/31.181.5.13	unknown	—	—	—
6516	msiexec.exe	GET	200	132.226.8.169:80	http://checkip.dyndns.org/	unknown	—	—	whitelisted
6516	msiexec.exe	GET	200	132.226.8.169:80	http://checkip.dyndns.org/	unknown	—	—	whitelisted
—	—	GET	303	142.250.185.206:443	https://drive.google.com/uc?export=download&id=1dbFlp4N3At5mAJWqSUIar9v5CFq8UhOk	unknown	—	—	—
2104	svchost.exe	GET	200	23.216.77.42:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6516	msiexec.exe	GET	200	132.226.8.169:80	http://checkip.dyndns.org/	unknown	—	—	whitelisted
—	—	GET	200	104.21.32.1:443	https://reallyfreegeoip.org/xml/31.181.5.13	unknown	—	—	—
—	—	GET	200	104.21.48.1:443	https://reallyfreegeoip.org/xml/31.181.5.13	unknown	—	—	—
6516	msiexec.exe	GET	200	132.226.8.169:80	http://checkip.dyndns.org/	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
2104	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2104	svchost.exe	23.216.77.42:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
2104	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2104	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6516	msiexec.exe	142.250.184.238:443	drive.google.com	GOOGLE	US	whitelisted
6516	msiexec.exe	142.250.186.65:443	drive.usercontent.google.com	GOOGLE	US	whitelisted
6516	msiexec.exe	132.226.8.169:80	checkip.dyndns.org	ORACLE-BMC-31898	JP	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 40.127.240.158 51.104.136.2	whitelisted
google.com	142.250.185.78	whitelisted
crl.microsoft.com	23.216.77.42 23.216.77.6 23.216.77.28 23.216.77.36	whitelisted
drive.google.com	142.250.184.238	whitelisted
drive.usercontent.google.com	142.250.186.65	whitelisted
checkip.dyndns.org	132.226.8.169 158.101.44.242 193.122.6.168 193.122.130.0 132.226.247.73	whitelisted
reallyfreegeoip.org	104.21.96.1 104.21.48.1 104.21.112.1 104.21.16.1 104.21.32.1 104.21.64.1 104.21.80.1	malicious
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
api.telegram.org	149.154.167.220	whitelisted

PID	Process	Class	Message
2196	svchost.exe	Device Retrieving External IP Address Detected	ET DYN_DNS External IP Lookup Domain in DNS Query (checkip .dyndns .org)
6516	msiexec.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup - checkip.dyndns.org
6516	msiexec.exe	Device Retrieving External IP Address Detected	ET INFO 404/Snake/Matiex Keylogger Style External IP Check
2196	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Address Lookup Domain (reallyfreegeoip .org)
6516	msiexec.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup - checkip.dyndns.org
2196	svchost.exe	Misc activity	ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
6516	msiexec.exe	Misc activity	ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
6516	msiexec.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup - checkip.dyndns.org
6516	msiexec.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup - checkip.dyndns.org
6516	msiexec.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup - checkip.dyndns.org

General Info

21821568574.zip

07A71577E8D9F8554903390C72CCE379

953897589295BD64208A097AB6DA66EEB96385F7

46F9C602950FEAFA3379EB72D16AB5D786D5F87CB000B74C02BBCBBD29D80B1F

24576:kBm+41fKT4PyVzRCRooHRnQkWEoPqvO3NRXKDZpsmau7MHPbsTu6M8xROgFnQcvd:kBm+41fKT4PyVzRCKoHRntWEoPqvO3Ns

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Generic archive extractor

SNAKEKEYLOGGER has been detected (SURICATA)

Steals credentials from Web Browsers

Actions looks like stealing of personal data

GULOADER SHELLCODE has been detected (YARA)

GULOADER has been detected (YARA)

SUSPICIOUS

Starts POWERSHELL.EXE for commands execution

Converts a specified value to a byte (POWERSHELL)

Executable content was dropped or overwritten

Checks for external IP

Process communicates with Telegram (possibly using it as an attacker's C2 server)

The process verifies whether the antivirus software is installed

INFO

Create files in a temporary directory

Gets data length (POWERSHELL)

Checks supported languages

Manual execution by a user

Script raised an exception (POWERSHELL)

Reads the computer name

Converts byte array into ASCII string (POWERSHELL)

Disables trace logs

Checks whether the specified file exists (POWERSHELL)

Uses string split method (POWERSHELL)

Checks proxy server information

Reads the software policy settings

Reads security settings of Internet Explorer

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings