guloader | 98d06e4d2c0ca3e9d257f28269a4a1040c1fa51ddbb6214e8d2b6eed2ab8aadf

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-01-2025 08:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PURCHASE ORDER DLNG REF. 4520007395.exe
Size

1.2MB
MD5

02c65afc817f61d1d182e170a44d4843
SHA1

01ae56d0d7be193e9645a18e466038ae186bf944
SHA256

98d06e4d2c0ca3e9d257f28269a4a1040c1fa51ddbb6214e8d2b6eed2ab8aadf
SHA512

d0d49fe7a5a896e980d9558b0c170756a1e64a8e0ed903961bb1e6da5540a0b3dd21310e5e7360fb31a66b4662d10685a8f5e6dc7116e267f64d0f431047a066
SSDEEP

24576:03bKxS8debw/ZG0eaFsGzjeN/9JmLu+dzUdj+F/:03GQZbwi4fY/9Uaoqq/

Score

10^/10

guloader vipkeylogger collection discovery downloader keylogger spyware stealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.copinsa.com
Port:
587
Username:
[email protected]
Password:
fF@P??Jw(Nkz
Email To:
[email protected]

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Loads dropped DLL 2 IoCs

pid	Process
2644	PURCHASE ORDER DLNG REF. 4520007395.exe
2644	PURCHASE ORDER DLNG REF. 4520007395.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PURCHASE ORDER DLNG REF. 4520007395.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PURCHASE ORDER DLNG REF. 4520007395.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PURCHASE ORDER DLNG REF. 4520007395.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
20	drive.google.com
19	drive.google.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
34	checkip.dyndns.org
36	reallyfreegeoip.org
37	reallyfreegeoip.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
896	PURCHASE ORDER DLNG REF. 4520007395.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2644	PURCHASE ORDER DLNG REF. 4520007395.exe
896	PURCHASE ORDER DLNG REF. 4520007395.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Spatha250\outscorned.cir	PURCHASE ORDER DLNG REF. 4520007395.exe
File opened for modification	C:\Program Files (x86)\chancelleries\fritage.ini	PURCHASE ORDER DLNG REF. 4520007395.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\miljberedskabets.ini	PURCHASE ORDER DLNG REF. 4520007395.exe
File opened for modification	C:\Windows\Supersimplify.ini	PURCHASE ORDER DLNG REF. 4520007395.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PURCHASE ORDER DLNG REF. 4520007395.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PURCHASE ORDER DLNG REF. 4520007395.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
896	PURCHASE ORDER DLNG REF. 4520007395.exe
896	PURCHASE ORDER DLNG REF. 4520007395.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2644	PURCHASE ORDER DLNG REF. 4520007395.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	896	PURCHASE ORDER DLNG REF. 4520007395.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 896	2644	PURCHASE ORDER DLNG REF. 4520007395.exe	86
PID 2644 wrote to memory of 896	2644	PURCHASE ORDER DLNG REF. 4520007395.exe	86
PID 2644 wrote to memory of 896	2644	PURCHASE ORDER DLNG REF. 4520007395.exe	86
PID 2644 wrote to memory of 896	2644	PURCHASE ORDER DLNG REF. 4520007395.exe	86

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PURCHASE ORDER DLNG REF. 4520007395.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PURCHASE ORDER DLNG REF. 4520007395.exe

C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER DLNG REF. 4520007395.exe
"C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER DLNG REF. 4520007395.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER DLNG REF. 4520007395.exe
  "C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER DLNG REF. 4520007395.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\extrudes.ini

Filesize
38B

MD5
09e985a98beb49d2e4e39bcc53418fcb

SHA1
115f25c7aac7f7109e072ddae02d0fda28633ce9

SHA256
5edbc616b4c34d75203eb67a629506f1529cfc87576cd1e9a541e2614889a59e

SHA512
22f3db81b752e634ed33c280b83c0a5fc02360cc8838f27650bbd647de7bf2dbdf894cb86cc28c9b35bb10c8ef59c4d8a844882b627b8765cb1a331af4d065a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaA077.tmp

Filesize
74B

MD5
16d513397f3c1f8334e8f3e4fc49828f

SHA1
4ee15afca81ca6a13af4e38240099b730d6931f0

SHA256
d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36

SHA512
4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaA077.tmp

Filesize
17B

MD5
de15696c9e742811f33a76627a5af41a

SHA1
888fbecc300c1487bc2cc47ccfc562a622d4800f

SHA256
67e9b2f9ff46c1d3b647fd5df95b6014021dbcb74a2aa2f5e4fc99c733520545

SHA512
92f92c15bbf47bf31ea9130261198219b2c703ec6eb62af9e9b80c38639fd23b867752b6daab612f83d75e988c1ec641acf900904272babbfb82a48a51c65254

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaA077.tmp

Filesize
22B

MD5
7b381311a78901489326c8a317ddf8cd

SHA1
37d010f4fb37e77310effc7625dadbbbb36e8fe4

SHA256
59813bc6f04b4d5a16bd89d01602f4308759a60a579022a6bd209c1c0e8b463b

SHA512
626e1a6b65a7909b365f1b8623d9589889ac92f118f9c56d379af6e66e689075a70a82f76a790512203840506d8400c17f8afbd8a60540c14042c35e622a76e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbA200.tmp

Filesize
7B

MD5
67cfa7364c4cf265b047d87ff2e673ae

SHA1
56e27889277981a9b63fcf5b218744a125bbc2fa

SHA256
639b68bd180b47d542dd001d03557ee2d5b3065c3c783143bc9fb548f3fd7713

SHA512
17f28a136b20b89e9c3a418b08fd8e6fcaac960872dc33b2481af2d872efc44228f420759c57724f5d953c7ba98f2283e2acc7dfe5a58cbf719c6480ec7a648b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbA200.tmp

Filesize
13B

MD5
7a02f5fcc4fa926f656690c64b909ab6

SHA1
b92430a7da87fac12ae7ba0aea3cc4373a91b2ce

SHA256
4c9cf56a764d54f52d17f4d6a99962dee20b5fe54888357ea9532bb8c54869c9

SHA512
1f95dbfdda145dd50b2c9013fb165cb84eb87879442c30b92106923aaffd755358efb602640f461d81a300a06a905ba38a14eb10fa854105c577c0ce0239e70f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbA200.tmp

Filesize
10B

MD5
9a53fc1d7126c5e7c81bb5c15b15537b

SHA1
e2d13e0fa37de4c98f30c728210d6afafbb2b000

SHA256
a7de06c22e4e67908840ec3f00ab8fe9e04ae94fb16a74136002afbaf607ff92

SHA512
b0bffbb8072dbdcfc68f0e632f727c08fe3ef936b2ef332c08486553ff2cef7b0bcdb400e421a117e977bb0fac17ce4706a8097e32d558a918433646b6d5f1a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbA200.tmp

Filesize
26B

MD5
b7e56998ef81615a40866acb94c2f30a

SHA1
205d7d70bb8077a220d58f0bea2975fef5acf95a

SHA256
0b50a60cc7418cc1aec43be27dad966a1cf62eea10f825cb93d62b265c7e5dd7

SHA512
4f8a5482c7a21fc0f33e7da187ba7e9ef1250729ec30e56cee98c86e96a5307387436639040905f88ac9af24117d8c8094d142a70c2144c5935b1ace877dd731

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbA423.tmp

Filesize
1B

MD5
8ce4b16b22b58894aa86c421e8759df3

SHA1
13fbd79c3d390e5d6585a21e11ff5ec1970cff0c

SHA256
8254c329a92850f6d539dd376f4816ee2764517da5e0235514af433164480d7a

SHA512
2af8a9104b3f64ed640d8c7e298d2d480f03a3610cbc2b33474321ec59024a48592ea8545e41e09d5d1108759df48ede0054f225df39d4f0f312450e0aa9dd25

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbA423.tmp

Filesize
5B

MD5
e2fecc970546c3418917879fe354826c

SHA1
63f1c1dd01b87704a6b6c99fd9f141e0a3064f16

SHA256
ff91566d755f5d038ae698a2cc0a7d4d14e5273afafc37b6f03afda163768fa0

SHA512
3c4a68cbaee94f986515f43305a0e7620c14c30213d4a17db4a3e8a1b996764eb688bf733f472fc52073c2c80bb5229bb29411d7601aefe1c4370e230c341a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbA423.tmp

Filesize
6B

MD5
50484c19f1afdaf3841a0d821ed393d2

SHA1
c65a0fb7e74ffd2c9fc3a0f9aacb0f6a24b0a68b

SHA256
6923dd1bc0460082c5d55a831908c24a282860b7f1cd6c2b79cf1bc8857c639c

SHA512
d51a20d67571fe70bcd6c36e1382a3c342f42671c710090b75fcfc2405ce24488e03a7131eefe4751d0bd3aeaad816605ad10c8e3258d72fcf379e32416cbf3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbA423.tmp

Filesize
17B

MD5
26b5d572c05bd48008d83ec69a9fe7d8

SHA1
f030b576e69f6071fffee62f3d4447a4ae004812

SHA256
54dc16ada6e12dd1bb2ade6f6c3b9d0e51ebc00568d8022e19cd542620ca8752

SHA512
1a78242b3184d3316b53c8e329c2878c2eefb821aff0363b620ed906e7fa745375160015e9c6639a616a5767be6ba0829faf0332404bec85f412720cdb7a6f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslA1EF.tmp\System.dll

Filesize
12KB

MD5
564bb0373067e1785cba7e4c24aab4bf

SHA1
7c9416a01d821b10b2eef97b80899d24014d6fc1

SHA256
7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5

SHA512
22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssA741.tmp

Filesize
2B

MD5
25bc6654798eb508fa0b6343212a74fe

SHA1
15d5e1d3b948fd5986aaff7d9419b5e52c75fc93

SHA256
8e5202705183bd3a20a29e224499b0f77a8273ee33cd93cca71043c57ad4bdfc

SHA512
5868c6241ed3cfcc5c34bfe42e4b9f5c69e74975e524771d8c9f35cafc13fd01cd943ec4d8caefee79a1f4a457e69d20b7a86f88db83a5bc3e6bd8a619972898

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssA741.tmp

Filesize
3B

MD5
4e27f2226785e9abbe046fc592668860

SHA1
28b18a7f383131df509f7191f946a32c5a2e410c

SHA256
01a219245e1501fee01ce0baea8f6065ce5162cea12fa570689a07c9717be81d

SHA512
2a23585835bdb5db8175cab265566042282841efdcee8aaba8b9b5d466b0f165c0c5973033ce94bb9a8f07a956689247981ea07ac5a51408263e1653d9710adb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssA741.tmp

Filesize
9B

MD5
2b3884fe02299c565e1c37ee7ef99293

SHA1
d8e2ef2a52083f6df210109fea53860ea227af9c

SHA256
ae789a65914ed002efb82dad89e5a4d4b9ec8e7faae30d0ed6e3c0d20f7d3858

SHA512
aeb9374a52d0ad99336bfd4ec7bb7c5437b827845b8784d9c21f7d96a931693604689f6adc3ca25fad132a0ad6123013211ff550f427fa86e4f26c122ac6a0fe

Download Submit
C:\longboats.ini

Filesize
33B

MD5
cea01eef869275aa756d608e89aa08a0

SHA1
263e370ea1719da6115da34655bb1cbe7a0ec1e2

SHA256
86093ec9c019f200f7c265fffd5076c99d89f44cc04dfbe9aee58256cc381a29

SHA512
b1e2efa2c361f1cc8db364d229f284594d0fa9b4769818356d32cf9c79aa3501a95d2d69f81179b1796dbb958bc90c21619bbe76d537885093ed0b324fe4dd08

Download Submit
memory/896-1157-0x0000000001AA0000-0x0000000002D63000-memory.dmp

Filesize
18.8MB

Download
memory/896-1156-0x0000000000840000-0x0000000001A94000-memory.dmp

Filesize
18.3MB

Download
memory/896-1167-0x0000000036A60000-0x0000000036A6A000-memory.dmp

Filesize
40KB

Download
memory/896-1166-0x00000000369A0000-0x0000000036A32000-memory.dmp

Filesize
584KB

Download
memory/896-1164-0x00000000368A0000-0x00000000368F0000-memory.dmp

Filesize
320KB

Download
memory/896-1140-0x0000000001AA0000-0x0000000002D63000-memory.dmp

Filesize
18.8MB

Download
memory/896-1141-0x0000000077C68000-0x0000000077C69000-memory.dmp

Filesize
4KB

Download
memory/896-1142-0x0000000001AA0000-0x0000000002D63000-memory.dmp

Filesize
18.8MB

Download
memory/896-1143-0x0000000077C85000-0x0000000077C86000-memory.dmp

Filesize
4KB

Download
memory/896-1163-0x00000000366D0000-0x0000000036892000-memory.dmp

Filesize
1.8MB

Download
memory/896-1162-0x0000000077BE1000-0x0000000077D01000-memory.dmp

Filesize
1.1MB

Download
memory/896-1159-0x0000000000840000-0x0000000000882000-memory.dmp

Filesize
264KB

Download
memory/896-1160-0x0000000035BA0000-0x0000000036144000-memory.dmp

Filesize
5.6MB

Download
memory/896-1161-0x0000000036150000-0x00000000361EC000-memory.dmp

Filesize
624KB

Download
memory/2644-1134-0x00000000046F0000-0x00000000059B3000-memory.dmp

Filesize
18.8MB

Download
memory/2644-1135-0x0000000077BE1000-0x0000000077D01000-memory.dmp

Filesize
1.1MB

Download
memory/2644-1139-0x00000000046F0000-0x00000000059B3000-memory.dmp

Filesize
18.8MB

Download
memory/2644-1137-0x0000000074835000-0x0000000074836000-memory.dmp

Filesize
4KB

Download
memory/2644-1136-0x00000000046F0000-0x00000000059B3000-memory.dmp

Filesize
18.8MB

Download