guloader | f6ad2374fe19582a54ac0b9972ec41223f4291af9e49834fbd240629b9c74e62

Analysis

max time kernel
142s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-01-2025 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FA25000003_PDF.exe
Size

556KB
MD5

6ca301ca8387dce5fd21f318ebba05c6
SHA1

42721db007b2a33119e951aa29749af25bc4cf01
SHA256

f6ad2374fe19582a54ac0b9972ec41223f4291af9e49834fbd240629b9c74e62
SHA512

37eb46fc6493dc3ee783a9fbfba56356f3a088dca8c53ba4d7f7aa3dd2f56c2f8ab5567bce3118f0611a7923e4cda12174f407b3262c1f4f41f07835fcc1f618
SSDEEP

12288:Ak2r86ZoU8clmyN7oOX4V44I5pqAm3R3W6TRVZdMN6:m86SU8clmyNI44InqRR1ZdM0

Score

10^/10

guloader vipkeylogger collection discovery downloader keylogger spyware stealer

Malware Config

Extracted

Family

vipkeylogger

https://api.telegram.org/bot7581561605:AAGI-5iG4DeXqVhNDvhaICvGbOejumUD6AE/sendMessage?chat_id=5434550993

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Loads dropped DLL 10 IoCs

pid	Process
4760	FA25000003_PDF.exe
4760	FA25000003_PDF.exe
4760	FA25000003_PDF.exe
4760	FA25000003_PDF.exe
4760	FA25000003_PDF.exe
4760	FA25000003_PDF.exe
4760	FA25000003_PDF.exe
4760	FA25000003_PDF.exe
4760	FA25000003_PDF.exe
4760	FA25000003_PDF.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	FA25000003_PDF.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	FA25000003_PDF.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	FA25000003_PDF.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
19	drive.google.com
20	drive.google.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
34	checkip.dyndns.org
37	reallyfreegeoip.org
38	reallyfreegeoip.org

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\equity.Mag	FA25000003_PDF.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4256	FA25000003_PDF.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4760	FA25000003_PDF.exe
4256	FA25000003_PDF.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4760 set thread context of 4256	4760	FA25000003_PDF.exe	86

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FA25000003_PDF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FA25000003_PDF.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4256	FA25000003_PDF.exe
4256	FA25000003_PDF.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4760	FA25000003_PDF.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4256	FA25000003_PDF.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 4256	4760	FA25000003_PDF.exe	86
PID 4760 wrote to memory of 4256	4760	FA25000003_PDF.exe	86
PID 4760 wrote to memory of 4256	4760	FA25000003_PDF.exe	86
PID 4760 wrote to memory of 4256	4760	FA25000003_PDF.exe	86
PID 4760 wrote to memory of 4256	4760	FA25000003_PDF.exe	86

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	FA25000003_PDF.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	FA25000003_PDF.exe

C:\Users\Admin\AppData\Local\Temp\FA25000003_PDF.exe
"C:\Users\Admin\AppData\Local\Temp\FA25000003_PDF.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Users\Admin\AppData\Local\Temp\FA25000003_PDF.exe
  "C:\Users\Admin\AppData\Local\Temp\FA25000003_PDF.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:4256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsh712A.tmp\LangDLL.dll

Filesize
5KB

MD5
f1e9eed02db3a822a7ddef0c724e5f1f

SHA1
65864992f5b6c79c5efbefb5b1354648a8a86709

SHA256
6dff504c6759c418c6635c9b25b8c91d0d9ef7787a3a93610d7670bb563c09df

SHA512
c22b64fff76b25cf53231b8636f07b361d95791c4646787ce7beac27ad6a0de88337dcceb25b5196f97c452dda72e2614647f51a8a18cb4d5228a82ed2e0780c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh712A.tmp\System.dll

Filesize
11KB

MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
C:\Users\Admin\secondo\ruddys\Jageren\birgita.txt

Filesize
4KB

MD5
2e7baf4f3c9f5830af25c66ecbe1dac4

SHA1
275ee3d8faeef514ec71605788561bae14f3a48a

SHA256
37346b6387f7d33a9eab62407f94cd716081eb80d7443db91b788479e6fcaf4c

SHA512
a7900cc0e56998f9cd30b24584c15a8a533139cb01d16bf2046c1b1bf5ffbd67216aac69a83d1968206a99185f692bf21429622cbf53a9abbbf528ff21f7cb45

Download Submit
memory/4256-71-0x00000000368C0000-0x000000003695C000-memory.dmp

Filesize
624KB

Download
memory/4256-73-0x00000000016E0000-0x0000000003794000-memory.dmp

Filesize
32.7MB

Download
memory/4256-80-0x0000000033DB0000-0x0000000033DBA000-memory.dmp

Filesize
40KB

Download
memory/4256-79-0x0000000033CF0000-0x0000000033D82000-memory.dmp

Filesize
584KB

Download
memory/4256-76-0x0000000037150000-0x000000003767C000-memory.dmp

Filesize
5.2MB

Download
memory/4256-55-0x00000000016E0000-0x0000000003794000-memory.dmp

Filesize
32.7MB

Download
memory/4256-68-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/4256-69-0x0000000000480000-0x00000000004C8000-memory.dmp

Filesize
288KB

Download
memory/4256-70-0x0000000036310000-0x00000000368B4000-memory.dmp

Filesize
5.6MB

Download
memory/4256-75-0x0000000037070000-0x00000000370C0000-memory.dmp

Filesize
320KB

Download
memory/4256-74-0x0000000036E80000-0x0000000037042000-memory.dmp

Filesize
1.8MB

Download
memory/4760-51-0x0000000004A50000-0x0000000006B04000-memory.dmp

Filesize
32.7MB

Download
memory/4760-50-0x0000000004A50000-0x0000000006B04000-memory.dmp

Filesize
32.7MB

Download
memory/4760-54-0x0000000004A50000-0x0000000006B04000-memory.dmp

Filesize
32.7MB

Download
memory/4760-53-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download
memory/4760-52-0x0000000077731000-0x0000000077851000-memory.dmp

Filesize
1.1MB

Download