guloader | cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87

Analysis

max time kernel
148s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-11-2024 15:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87.exe
Size

993KB
MD5

109999f2dd1c17c2f9824fe52d15857b
SHA1

ccc28bea9a2d7f888291a3ff846a6f820509f1a8
SHA256

cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87
SHA512

9c260cd2764d4a6b33b2a119825c6ce0e3e759cecf02adfe10e1ed72d0e2e5e86de4f5660437c1bbadb9e53a76bd74e3966054daff3b3d7b9a173c98a58d4d26
SSDEEP

12288:tqiMp5vpmVSD/bqepRjrByHHjXEbDbMifHzF6rWowo3lItWMTCJqCOl1:RMqObqe7jrmHjXEPbMifTcrh9+tW40O3

Score

10^/10

guloader vipkeylogger discovery downloader keylogger stealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
cp1.virtualine.org
Port:
587
Username:
[email protected]
Password:
7213575aceACE@@
Email To:
[email protected]

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Loads dropped DLL 2 IoCs

Processes:

cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87.exe

pid	process
648	cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87.exe
648	cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

42 checkip.dyndns.org
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87.exe

pid process

636 cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87.exe

flow	ioc
42	checkip.dyndns.org

pid	process
636	cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87.execf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87.exe

pid	process
648	cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87.exe
636	cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87.exe

description	pid	process	target process
PID 648 set thread context of 636	648	cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87.exe	cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87.exe

Drops file in Windows directory 2 IoCs

Processes:

cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87.exe

description	ioc	process
File opened for modification	C:\Windows\resources\0409\backstrap\lejekassernerne.Osc55	cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87.exe
File opened for modification	C:\Windows\resources\ttningslisternes\Poulardes50.sto	cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2900 636 WerFault.exe cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87.exe

pid	pid_target	process	target process
2900	636	WerFault.exe	cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87.execf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87.exe

pid process

636 cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87.exe

pid process

648 cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87.exe

description pid process

Token: SeDebugPrivilege 636 cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87.exe

pid	process
636	cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87.exe

description	pid	process
Token: SeDebugPrivilege	636	cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87.exe

description	pid	process	target process
PID 648 wrote to memory of 636	648	cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87.exe	cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87.exe
PID 648 wrote to memory of 636	648	cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87.exe	cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87.exe
PID 648 wrote to memory of 636	648	cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87.exe	cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87.exe
PID 648 wrote to memory of 636	648	cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87.exe	cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87.exe
PID 648 wrote to memory of 636	648	cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87.exe	cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87.exe

C:\Users\Admin\AppData\Local\Temp\cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87.exe
"C:\Users\Admin\AppData\Local\Temp\cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:648
- C:\Users\Admin\AppData\Local\Temp\cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87.exe
  "C:\Users\Admin\AppData\Local\Temp\cf6800448bd20938d5e58be636dac9fd95ada3b8a2360a0e27672726d9c16f87.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:636
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 1860
    3⤵
    - Program crash
    PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 636 -ip 636
1⤵
PID:3188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsaD2F5.tmp

Filesize
5B

MD5
e2fecc970546c3418917879fe354826c

SHA1
63f1c1dd01b87704a6b6c99fd9f141e0a3064f16

SHA256
ff91566d755f5d038ae698a2cc0a7d4d14e5273afafc37b6f03afda163768fa0

SHA512
3c4a68cbaee94f986515f43305a0e7620c14c30213d4a17db4a3e8a1b996764eb688bf733f472fc52073c2c80bb5229bb29411d7601aefe1c4370e230c341a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaD2F5.tmp

Filesize
27B

MD5
25f205f6839d0787565c29c38a66e75e

SHA1
a2fbad8a011fe9e90a71727905ab119dd3c39b0f

SHA256
e2b210499b723d06146d7e4b169a4ae664b9f157a7ce9fdf76f763acad5163b2

SHA512
24b55c8bc4a2a7cd3e4360e0bdbd9dfdb8c81a5cc8b8e8205916064ebbcb9e83ffb86e6d42dc1325c93539625b66540353180119469b31d2a01b6c7300e9e495

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaD2F5.tmp

Filesize
29B

MD5
90d4148f2c3df01640574cf198642bff

SHA1
80df93c47461df2096af940f6ff710cc3b103a5d

SHA256
603018413ce2875406e3ef08d7ba9a2f086539f1d1ed1023efea06b635c426fc

SHA512
0e407fe7c335c47b7a81cd77fc17b3db6d179342b3d05d103663e5fa7780d9d496e4a9ea462dc5f66cc4708a67c02aec395a08d73b6e52f3c4fa490b89ac4d7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaD2F5.tmp

Filesize
48B

MD5
661bd716737f9fb3c103d4b268a5003b

SHA1
32055f18ef1258574b79218887a47922c5633015

SHA256
5d66ef48134420a17314ae8f901251864467aad440608c62bfce785f3fb00b85

SHA512
3c22269df6d99abcc3059ca08927f97fc256c23609e1592af03ffaf344dd602edb2598396b13d150f8dbcf27235120e5fc505bd17180ec7d87ce65d93cc215a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdCECB.tmp\System.dll

Filesize
11KB

MD5
6ad39193ed20078aa1b23c33a1e48859

SHA1
95e70e4f47aa1689cc08afbdaef3ec323b5342fa

SHA256
b9631423a50c666faf2cc6901c5a8d6eb2fecd306fdd2524256b7e2e37b251c2

SHA512
78c89bb8c86f3b68e5314467eca4e8e922d143335081fa66b01d756303e1aec68ed01f4be7098dbe06a789ca32a0f31102f5ba408bc5ab28e61251611bb4f62b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjCEEC.tmp

Filesize
6B

MD5
50484c19f1afdaf3841a0d821ed393d2

SHA1
c65a0fb7e74ffd2c9fc3a0f9aacb0f6a24b0a68b

SHA256
6923dd1bc0460082c5d55a831908c24a282860b7f1cd6c2b79cf1bc8857c639c

SHA512
d51a20d67571fe70bcd6c36e1382a3c342f42671c710090b75fcfc2405ce24488e03a7131eefe4751d0bd3aeaad816605ad10c8e3258d72fcf379e32416cbf3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjCEEC.tmp

Filesize
17B

MD5
aa56823a4614597aa5035bfb3f63c847

SHA1
873c3e649bf0b41d9b4d1ee998df6e47abd32841

SHA256
7d544ae2f97f0655acb9017ff329202409d17e86552e93c27c08ae532cb57f98

SHA512
0a9c4cac8181cdd5638c9bcd1898370c1b51bef5094eaa886e06937e6e36986f31a54b14a0d044c64ef4b332dc5d785dfdaf5ac5e1c067eb4421fd87f2486472

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjCEEC.tmp

Filesize
26B

MD5
b7e56998ef81615a40866acb94c2f30a

SHA1
205d7d70bb8077a220d58f0bea2975fef5acf95a

SHA256
0b50a60cc7418cc1aec43be27dad966a1cf62eea10f825cb93d62b265c7e5dd7

SHA512
4f8a5482c7a21fc0f33e7da187ba7e9ef1250729ec30e56cee98c86e96a5307387436639040905f88ac9af24117d8c8094d142a70c2144c5935b1ace877dd731

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjCEEC.tmp

Filesize
36B

MD5
3d4b43e24f8a5cb80bba86e69735e146

SHA1
caaa79191da01e6cdd282f084dd7299c54a57dfe

SHA256
54f4b8891dda2b1f31a6b798b8ef5e253f79173727341309c86f50191584a3eb

SHA512
6d34fba9a130aaff8dba31f64f7f0c4168134092428661adf9906826e39d497754927a479dcfe0809101b6da0a1d7c08cbb53ccc74c371edbf01c054c7bce4a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjCEEC.tmp

Filesize
50B

MD5
66232700b45a0cd2fca0b0ab4c15cf1d

SHA1
5b63ae813636c07f4de62f88425d23c3c75e024b

SHA256
6a3fde98ef05ef8b76bb66538de3e3e14b6d9928176532293645b0cb27325c9d

SHA512
f97a2e4779c99d335f4118b94dfb004c65efe5342c6fc75632bfa6f96ac14c5c35cd1adc11a7e5472dc22553e6151e109e2cca5694139eea6fa32e620c0c5054

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjCEEC.tmp

Filesize
49B

MD5
1aeb67240bc704bf6cc2fa0a6f52a970

SHA1
0d5cbc71d7e606e7f1a68332be8a7a5a7b4be02d

SHA256
bbd283b5a658ac95e8811c820de41f911e7559e982d9378b5b14c3f7cb5ccb6d

SHA512
c64bdb3c49ff5ca422fe5a4a03fac5145072f7cf692addc23e811ce39c25fc7fcb8e15a07fd770eb8d392d86cfc12c3520b080899a4d2c85646c09b181f2b47c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslD509.tmp

Filesize
11B

MD5
9234653ab7a15a6a77df6d71833b2863

SHA1
40bced20128597a1a694eeb78cfeb926b606a9cf

SHA256
cb9399842dd29519b6a475e7496610bf77edb3c59b56b4a708f0304632c909a8

SHA512
0245b93f0b052ea70e7f5aa2c2b139f833ad40e67eaafa8c1b51421b87f67e7ef8218df07d397e862d6210f941930e71e21c2159e01fbd415a42c5eec9c48c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnCCE6.tmp

Filesize
64B

MD5
814da453daa6269ca4ed4cd15266b28c

SHA1
82981f8c0d5d3ffccbf06fff867f8c3b1aaa454b

SHA256
791004efaa6a41452708fe5db95097b4681e4f4d386e33b8044088b8f736d743

SHA512
3336dbdf67c28567e9cd6a495e2e7d7e7fca21fccdff35b7c84588237829c32f69be5f733cbc3e3bf1614868a3e9e6000c5ff3116b4cc035723c37ca743cb948

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnCCE6.tmp

Filesize
74B

MD5
16d513397f3c1f8334e8f3e4fc49828f

SHA1
4ee15afca81ca6a13af4e38240099b730d6931f0

SHA256
d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36

SHA512
4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszD083.tmp

Filesize
2B

MD5
25bc6654798eb508fa0b6343212a74fe

SHA1
15d5e1d3b948fd5986aaff7d9419b5e52c75fc93

SHA256
8e5202705183bd3a20a29e224499b0f77a8273ee33cd93cca71043c57ad4bdfc

SHA512
5868c6241ed3cfcc5c34bfe42e4b9f5c69e74975e524771d8c9f35cafc13fd01cd943ec4d8caefee79a1f4a457e69d20b7a86f88db83a5bc3e6bd8a619972898

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszD083.tmp

Filesize
9B

MD5
2b3884fe02299c565e1c37ee7ef99293

SHA1
d8e2ef2a52083f6df210109fea53860ea227af9c

SHA256
ae789a65914ed002efb82dad89e5a4d4b9ec8e7faae30d0ed6e3c0d20f7d3858

SHA512
aeb9374a52d0ad99336bfd4ec7bb7c5437b827845b8784d9c21f7d96a931693604689f6adc3ca25fad132a0ad6123013211ff550f427fa86e4f26c122ac6a0fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszD083.tmp

Filesize
10B

MD5
9a53fc1d7126c5e7c81bb5c15b15537b

SHA1
e2d13e0fa37de4c98f30c728210d6afafbb2b000

SHA256
a7de06c22e4e67908840ec3f00ab8fe9e04ae94fb16a74136002afbaf607ff92

SHA512
b0bffbb8072dbdcfc68f0e632f727c08fe3ef936b2ef332c08486553ff2cef7b0bcdb400e421a117e977bb0fac17ce4706a8097e32d558a918433646b6d5f1a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszD083.tmp

Filesize
38B

MD5
126ad640770dd1f288c9a4d9fbeecab5

SHA1
dbe4d454c6d9dff4ed8b04a39209190b2529d1e4

SHA256
780f059c1ffcb14edc11dab4df03f7bf6eaee9256d536bfc55fb7bc8da51ed0f

SHA512
5f19bb186b0a723e13c84f112d9547021b3e6b5aefbc9eb8d2d5aa82d3b1df18ed0ff46ec5b2511565a71202c8921cc5194f138460fd6479cf974bfb9d122c28

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszD083.tmp

Filesize
46B

MD5
19523399a789c7f1089e137f0a19e424

SHA1
8eb7e76c3137ef45b2a45dae4a23d40e2b8ff102

SHA256
36c73b1a08dceae73f77bd7e6b979ba0b6addb8f38f9451287d559f8efe1799c

SHA512
8afb45b364147e46b9341aa7d4eb5afc68baa6db6362aee57f19ff642b8f1b818b1a30c9024d5b7ebff7fc031bf4de9226f14ef104c6cc30ddbd964b34745907

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszD083.tmp

Filesize
56B

MD5
6be1fc61ef445284ae963b5f74615f66

SHA1
3c1cb4c84d46db513530f271e4f89993217d7291

SHA256
b091f88a1dbbde4a52f427ad4af8322dbc07c1f202c26dffc3928b084e6ed53e

SHA512
1fb3746bbbbdbee7bb0c36b2e5e0e3903554cbaeb8650632a5ba726b5f4305a641da13ba7d62f051bfc30bfd3e615e4c1be3334244b40c272811692754327913

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszD083.tmp

Filesize
59B

MD5
cf11234bc93997f0f159e533250a80b4

SHA1
ab3f3befef23f1e0f366b3b1f7760293a1410103

SHA256
dcd734d5d3b14009b81beb648329c6ad63775b81c362cc484b18efca1adad16d

SHA512
9093a67c438a19110170e74b95f1752d2922ab59e272f3fb0962348d4af3f23d16098c264bd3c3b2a822fae97700d2370dfcd4e20c0e16d4f60ec644cfb57142

Download Submit
memory/636-572-0x00000000016E0000-0x00000000043FC000-memory.dmp

Filesize
45.1MB

Download
memory/636-573-0x00000000016E0000-0x00000000043FC000-memory.dmp

Filesize
45.1MB

Download
memory/636-574-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/636-575-0x0000000000480000-0x00000000004C8000-memory.dmp

Filesize
288KB

Download
memory/636-576-0x0000000036FD0000-0x0000000037574000-memory.dmp

Filesize
5.6MB

Download
memory/636-577-0x0000000036EE0000-0x0000000036F7C000-memory.dmp

Filesize
624KB

Download
memory/636-580-0x00000000016E0000-0x00000000043FC000-memory.dmp

Filesize
45.1MB

Download
memory/648-568-0x0000000004A30000-0x000000000774C000-memory.dmp

Filesize
45.1MB

Download
memory/648-569-0x0000000077141000-0x0000000077261000-memory.dmp

Filesize
1.1MB

Download
memory/648-570-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download
memory/648-571-0x0000000004A30000-0x000000000774C000-memory.dmp

Filesize
45.1MB

Download
memory/648-567-0x0000000004A30000-0x000000000774C000-memory.dmp

Filesize
45.1MB

Download